RFC: "-F auid>=500 -F auid!=4294967295" in audit rules

29 Feb 2012


      I noticed many of the audit rules apply the "-F auid>=500 -F 
auid!=4294967295" fields, and I'm not fully sure I agree with it. It 
looks like these were taken from the stig.rules sample file that ships 
with RHEL.
This presumes that system administrators are following UID naming 
schemes. I suppose we could create a "no UIDs < 500" check, but I'd 
rather eliminate the "-F auid>=500 -F auid!=4294967295" from the audit 
rules to ensure those with less than noble intent can't create a UID < 
500 and escape auditing. By reference, all our Common Criteria profiles 
to not have the auid checks.
What's the consensus -- keep or remove auid flags?

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

RFC: "-F auid>=500 -F auid!=4294967295" in audit rules