euid missing
Steve Grubb
sgrubb at redhat.com
Wed Jul 13 16:39:40 UTC 2016
On Wednesday, July 13, 2016 9:27:25 AM EDT Chris Nandor wrote:
> As mentioned in previous e-mail, we want to log what users do as root. I
> have these two rules, only:
>
> -a exit,always -F arch=b32 -F euid=0 -F auid>=0 -F auid!=4294967295 -S
> execve -k rootcmd
> -a exit,always -F arch=b64 -F euid=0 -F auid>=0 -F auid!=4294967295 -S
> execve -k rootcmd
>
> But this line shows up:
>
> node=grax.sea.marchex.com type=ANOM_ABEND
> msg=audit(1468426871.752:3282575): auid=811 uid=811 gid=811 ses=12
> pid=18504 comm="chromium-browse" reason="seccomp" sig=0 syscall=91 compat=0
> ip=0x7f296c759c77 code=0x50001
There are two kinds of events. There are the ones that are triggered by the
rules you load, and there are rules that are hardwired to be logged because
something significant happened. In this case the seccomp filter killed
chromium-browse because it violated policy. It has nothing to do with your
rules which have a rootcmd key.
To find the events triggered by your rule, use:
ausearch --start today -k rootcmd -i
-Steve
> My guess is that it is because euid is missing; maybe euid=0 is true if
> euid is null? I could put uid=0, instead of euid ... but that isn't
> exactly what I want, I think. Is there a way to have the rule require euid
> actually be 0?
>
> --Chris
More information about the Linux-audit
mailing list