On Thursday, May 14, 2015 03:24:16 PM leam hall wrote: > Some security requirements include auditing events by users and root. So > the line might include something like: > > -F auid=0 -F auid>=500 -F auid!=4294967295
The fields will be "anded". You cannot simultaneously have auid of 0 and >=500. So, you won't get any events. > My question is, if you don't include that phrase will the audit system > still get everything and not incur a serious performance hit. Effectively > it will audit everything for users 1-499, the usual system accounts. Typically the requirements read as audit root user actions - which is covered by TTY auditing. Everything else is covered by the other rules. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
