Open EmptyByte opened 1 month ago
In auditd, the auid (Audit User ID) represents the user ID of the user who initiated a process. The value 4294967295 (or -1 in signed 32-bit integer representation) is used to indicate an unset or invalid auid. Why Use auid!=unset Using auid!=unset is more readable and semantically clear. It directly conveys the intent that the rule should apply to all users except those with an unset auid. This improves the maintainability and readability of your audit rules.
In older versions of auditd, the unset keyword was not supported. Instead, the auid field would be set to -1 (or 4294967295 in unsigned 32-bit integer representation) to indicate that the audit user ID was not set.
Using auid!=4294967295 and auid!=-1 explicitly checks for these values, ensuring that the rule applies to all cases where the audit user ID is not set.
can we close the issue?
@Pierre-Gronau-ndaal Yes this can be closed. However there is still a mix of unset and ID 4294967295.
Why mixing
auid!=4294967295
auid!=-1
instead of using:
auid!=unset
since it is exactly the same ?