Closed skosachiov closed 4 months ago
@stevegrubb correct me if I'm wrong but I think auid=-1 does not mean user not defined
but rather something like service/daemon spawned by systemd?
Otherwise code looks good.
Ok. It's better to write "unset". The audit system considers uids to be unsigned numbers. The audit system uses the number -1 to indicate that a loginuid is not set. This means that when it's printed out, it looks like 4294967295. But when you write rules, you can use either "unset" which is easy to remember, or -1, or 4294967295. https://www.man7.org/linux/man-pages/man7/audit.rules.7.html
Rules with auid=-1 (user not defined) can be useful to avoid blocking calls on behalf of the system.