auid=0
rshaw1 at umbc.edu
rshaw1 at umbc.edu
Mon Aug 3 18:11:31 UTC 2015
Comparing the "official" STIG content with the scap-security-guide
content, the former seems to have added corresponding rules for "-F
auid=0" that aren't present in scap-security guide. i.e. where
scap-security-guide will just have one rule:
-a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid>=500 -F
auid!=4294967295 -k delete
the official content will have the above plus:
-a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid=0 -k delete
Is the addition necessary? It doesn't seem to be, as the rules caught
root usage of, for example, chmod just fine without it (I had used su; not
sure if there's a difference between that and other ways of being root.)
I would like to make sure I'm right before asking one group or the other
to delete or add it, respectively.
--Ray
More information about the Linux-audit
mailing list