httpd auid = -1

Thu Jul 30 18:29:02 UTC 2020

On Thursday, July 30, 2020 1:54:09 PM EDT Todd Heberlein wrote:
> I’ve noticed that the httpd process on a CentOS 7.7 system I am working
> with is running with an Audit ID of -1. Example ID values are:
> 
>         auid=4294967295
>         uid=48
>         gid=48
>         ...
> 
> So if use the standard filter "-F auid!=-1” in the audit rules I do not see
> httpd activity.
> 
> Is this common?

Yes, this is common. Most people are interested in the actions that people
take on the machine rather than normal system functioning.

> How do I change the auid to something else, so I can capture the httpd
> activity in the audit log?

A couple of ways. 
1) remove the auid!=-1. That will get you all daemons.
2) Use audit by executable rules:
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/httpd -F key=httpd-exec

-Steve 

> Example audit line:
> 
> type=SYSCALL msg=audit(1596065566.721:31357): arch=c000003e syscall=2
> success=yes exit=15 a0=55a0a2d9b3c0 a1=80000 a2=0 a3=7ffe5d4d6720 items=1
> ppid=1130 pid=1253 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
> exe="/usr/sbin/httpd" key=(null)