Hi everyone, this is my first post here, so apologies if I don't provide all the required information. I'm just working on PCI-DSS compliance with the xccdf_org.ssgproject.content_profile_pci-dss policy and the RHEL7 security guide. Having reviewed the report.html file it's advising me about several recommended auditing issues, the blurb is: At a minimum the audit system should collect file permission changes for all users and root. The remediation advice suggests implementing the following audit rule for 32bit systems: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod But I'm confused as to how this achieves what it sets out to do. I should mention that I'm establishing loginuid by running; cat /proc/<pid>/loginuid 1) Most of the loginuids for "logged in users" on my machine have a loginuid of 4294967295 (which I understand is effectively -1 in other words the loginuid is not set). Only users that have remotely accessed my machine by logging in over ssh seem to have a loginuid that would match the above criteria ie not 4294967295 and above 1000. Is this normal? And why would I want to exclude auditing for users with a loginuid of 4294967295? 2) Furthermore how will the above criteria include the root user? Does this have a loginuid of 1 (root) or something else? I'm sure the issue is down to my lack of knowledge, but I'd be grateful of some education. Many thanks for any help, JJ Millen Oracle DBA and Unix Systems Administrator IT - Uk - Infrastructure Reed Specialist Recruitment Ext: 76089 Disclaimer: Internet communications are not secure and therefore Reed does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Reed family of companies unless otherwise specifically stated. This email and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivering it to the intended recipient, be advised that you have received this email in error and that any dissemination, distribution, copying or use is strictly prohibited. If you have received this email in error please notify the sender and then delete the message and any attachments from your computer. This email has been scanned for all known viruses by the Websense Mailcontrol System. While the sender has taken every reasonable precaution to minimise risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should carry out your own virus checks before opening any attachments to this e-mail.