Hi everyone, this is my first post here, so apologies if I don't provide all the required information.
I'm just working on PCI-DSS compliance with the xccdf_org.ssgproject.content_profile_pci-dss policy and the RHEL7 security guide. Having reviewed the report.html file it's advising me about several recommended auditing issues, the blurb is: At a minimum the audit system should collect file permission changes for all users and root. The remediation advice suggests implementing the following audit rule for 32bit systems: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod But I'm confused as to how this achieves what it sets out to do. I should mention that I'm establishing loginuid by running; cat /proc/<pid>/loginuid 1) Most of the loginuids for "logged in users" on my machine have a loginuid of 4294967295 (which I understand is effectively -1 in other words the loginuid is not set). Only users that have remotely accessed my machine by logging in over ssh seem to have a loginuid that would match the above criteria ie not 4294967295 and above 1000. Is this normal? And why would I want to exclude auditing for users with a loginuid of 4294967295? 2) Furthermore how will the above criteria include the root user? Does this have a loginuid of 1 (root) or something else? I'm sure the issue is down to my lack of knowledge, but I'd be grateful of some education. Many thanks for any help, JJ Millen Oracle DBA and Unix Systems Administrator IT - Uk - Infrastructure Reed Specialist Recruitment Ext: 76089 Disclaimer: This email and its contents are confidential. Please read the disclaimer at www.reedglobal.com/email_disclaimer
_______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
