auditd User IDs standard

User IDs standard

Open EmptyByte opened this issue 1 year ago • 3 comments

trafficstars

Why mixing

auid!=4294967295 auid!=-1

instead of using:

auid!=unset

since it is exactly the same ?

Jul 25 '24 11:07 EmptyByte

In auditd, the auid (Audit User ID) represents the user ID of the user who initiated a process. The value 4294967295 (or -1 in signed 32-bit integer representation) is used to indicate an unset or invalid auid. Why Use auid!=unset Using auid!=unset is more readable and semantically clear. It directly conveys the intent that the rule should apply to all users except those with an unset auid. This improves the maintainability and readability of your audit rules.

In older versions of auditd, the unset keyword was not supported. Instead, the auid field would be set to -1 (or 4294967295 in unsigned 32-bit integer representation) to indicate that the audit user ID was not set.

Using auid!=4294967295 and auid!=-1 explicitly checks for these values, ensuring that the rule applies to all cases where the audit user ID is not set.

Jul 29 '24 00:07 Pierre-Gronau-ndaal

can we close the issue?

Aug 23 '24 05:08 Pierre-Gronau-ndaal

@Pierre-Gronau-ndaal Yes this can be closed. However there is still a mix of unset and ID 4294967295.

Sep 11 '24 11:09 EmptyByte

auditd auditd copied to clipboard

User IDs standard

auditd
auditd copied to clipboard