[Open-scap] Compliance with xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown

[James.Millen at reedglobal.com]

Hi everyone, this is my first post here, so apologies if I don't provide 
all the required information.

I'm just working on PCI-DSS compliance with the 
xccdf_org.ssgproject.content_profile_pci-dss policy and the RHEL7 security 
guide.  Having reviewed the report.html file it's advising me about 
several recommended auditing issues, the blurb is:

At a minimum the audit system should collect file permission changes for 
all users and root.

The remediation advice suggests implementing the following audit rule for 
32bit systems:

-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k 
perm_mod

But I'm confused as to how this achieves what it sets out to do.  I should 
mention that I'm establishing loginuid by running; cat 
/proc/<pid>/loginuid

1) Most of the loginuids for "logged in users" on my machine have a 
loginuid of 4294967295 (which I understand is effectively -1 in other 
words the loginuid is not set).  Only users that have remotely accessed my 
machine by logging in over ssh seem to have a loginuid that would match 
the above criteria ie not 4294967295 and above 1000.  Is this normal?  And 
why would I want to exclude auditing for users with a loginuid of 
4294967295?

2) Furthermore how will the above criteria include the root user?  Does 
this have a loginuid of 1 (root) or something else?

I'm sure the issue is down to my lack of knowledge, but I'd be grateful of 
some education.

Many thanks for any help,

JJ Millen
Oracle DBA and Unix Systems Administrator
IT - Uk - Infrastructure
Reed Specialist Recruitment
Ext: 76089


Disclaimer:

This email and its contents are confidential.  Please read the disclaimer at www.reedglobal.com/email_disclaimer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20160810/ef62e2dc/attachment.htm>