All, I have seen some audit.rules that ignore ALL events involving auid being the unset user ie a rule segment of -F auid!=4294967295 What are the possible risks of excluding recording events from the unset auid? Especially since I believe root could override the auid by writing to /proc/self/loginuid. Rgds