Closed skosachiov closed 4 months ago
radosroka
commented
4 months ago @stevegrubb correct me if I'm wrong but I think auid=-1 does not mean user not defined but rather something like service/daemon spawned by systemd?
Otherwise code looks good.
skosachiov
commented
4 months ago Ok. It's better to write "unset". The audit system considers uids to be unsigned numbers. The audit system uses the number -1 to indicate that a loginuid is not set. This means that when it's printed out, it looks like 4294967295. But when you write rules, you can use either "unset" which is easy to remember, or -1, or 4294967295. https://www.man7.org/linux/man-pages/man7/audit.rules.7.html
Rules with auid=-1 (user not defined) can be useful to avoid blocking calls on behalf of the system.