Auditd rules not filtering

General support questions
Post Reply
Lincon
Posts: 1
Joined: 2019/07/18 12:20:39

Auditd rules not filtering

Post by Lincon » 2019/07/18 12:21:56

Hello everyone,,
I have an issue where I am using puppet to manage the auditd service/rules. I have the following rule implemented:

-a always,exit -F arch=b64 -S execve -F euid=0 -F auid!=4294967295 -k priv_func_exe

However, I am still getting messages that have the auid=4294967295. In fact, I even removed the rule from the list, re-ran the puppet script to update the rules, verified no rules with "auditctl -l," and it is still showing two particular messages:

type=SERVICE_START msg=audit(time:number): pid=1 uid=0 auid=4294967295 ses=4294967295 ...
type=SERVICE_STOP msg=audit(time:number): pid=1 uid=0 auid=4294967295 ses=4294967295 ...

Yes, the service start and service stop are pointing to a single service not starting but if there are no rules in auditd then why are they logging.

I have two questions:

1) Why with the "auid!=4294967295" are the logs still generating events with this value?
2) Why are there any logs still being generated after I have cleared all the rules from auditd?

Thank you for your help and time.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Auditd rules not filtering

Post by aks » 2019/07/22 18:42:02

Doesn't it just match euid=0?

Post Reply