Hello everyone,,
I have an issue where I am using puppet to manage the auditd service/rules. I have the following rule implemented:
-a always,exit -F arch=b64 -S execve -F euid=0 -F auid!=4294967295 -k priv_func_exe
However, I am still getting messages that have the auid=4294967295. In fact, I even removed the rule from the list, re-ran the puppet script to update the rules, verified no rules with "auditctl -l," and it is still showing two particular messages:
type=SERVICE_START msg=audit(time:number): pid=1 uid=0 auid=4294967295 ses=4294967295 ...
type=SERVICE_STOP msg=audit(time:number): pid=1 uid=0 auid=4294967295 ses=4294967295 ...
Yes, the service start and service stop are pointing to a single service not starting but if there are no rules in auditd then why are they logging.
I have two questions:
1) Why with the "auid!=4294967295" are the logs still generating events with this value?
2) Why are there any logs still being generated after I have cleared all the rules from auditd?
Thank you for your help and time.
Auditd rules not filtering
Re: Auditd rules not filtering
Doesn't it just match euid=0?