search

Neo23x0 / auditd

Best Practice Auditd Configuration
Apache License 2.0
1.47k stars 258 forks source link

User IDs standard #150

Open EmptyByte opened 1 month ago

EmptyByte commented 1 month ago

Why mixing

auid!=4294967295 auid!=-1

instead of using:

auid!=unset

since it is exactly the same ?

Pierre-Gronau-ndaal commented 1 month ago

In auditd, the auid (Audit User ID) represents the user ID of the user who initiated a process. The value 4294967295 (or -1 in signed 32-bit integer representation) is used to indicate an unset or invalid auid. Why Use auid!=unset Using auid!=unset is more readable and semantically clear. It directly conveys the intent that the rule should apply to all users except those with an unset auid. This improves the maintainability and readability of your audit rules.

In older versions of auditd, the unset keyword was not supported. Instead, the auid field would be set to -1 (or 4294967295 in unsigned 32-bit integer representation) to indicate that the audit user ID was not set.

Using auid!=4294967295 and auid!=-1 explicitly checks for these values, ensuring that the rule applies to all cases where the audit user ID is not set.

Pierre-Gronau-ndaal commented 3 weeks ago

can we close the issue?

EmptyByte commented 1 week ago

@Pierre-Gronau-ndaal Yes this can be closed. However there is still a mix of unset and ID 4294967295.