Ok, so the assumption is that daemons are not compromised?  In other words, if 
a daemon is compromised (or could be compromised), wouldn't you want to monitor 
it's behavior as well?


-----Original Message-----
From: Steve Grubb [mailto:[email protected]] 
Sent: Wednesday, May 11, 2016 11:35 AM

When a user logs in, the auid gets set to the uid that they used to login with. 
Daemons are not user sessions and have the loginuid set to  -1. The auid 
representation is an unsigned 32 bit integer. So, -1 becomes 4294967295. The 
rules use a directive like this: -F auid>=1000 to trigger on user activity. It 
turns out that would trigger on daemons doing something because 4294967295 is 
greater than 1000. So, we exclude daemons because user activity is the prime 
target.

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to