diff --git a/CHANGELOG.md b/CHANGELOG.md
index d25754d34..5fe634665 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,8 @@
## [Unreleased]
+* Update `audit` STIG rules for Canonical Ubuntu 18.04 LTS STIG - V2R7 and V2R8: [#1170](https://github.com/microsoft/PowerStig/issues/1170)
+
## [4.14.0] - 2022-09-14
* Update PowerSTIG to Parse/Apply Red Hat Enterprise Linux 7 STIG - Ver 3, Rel 8: [#1151](https://github.com/microsoft/PowerStig/issues/1151)
diff --git a/source/StigData/Processed/Ubuntu-18.04-2.7.xml b/source/StigData/Processed/Ubuntu-18.04-2.7.xml
index cc37a30bd..dfa2f1f81 100644
--- a/source/StigData/Processed/Ubuntu-18.04-2.7.xml
+++ b/source/StigData/Processed/Ubuntu-18.04-2.7.xml
@@ -2843,11 +2843,11 @@ disk_full_action = HALT
If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.
- -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-priv_change
+ -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/su\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-priv_change
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/su\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-priv_change
/etc/audit/rules.d/audit.rules
False
@@ -2867,11 +2867,11 @@ If the command does not return lines that match the example or the lines are com
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn
+ -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chfn\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-chfn
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chfn\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-chfn
/etc/audit/rules.d/audit.rules
False
@@ -2891,11 +2891,11 @@ If the command does not return lines that match the example or the lines are com
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount
+ -a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/mount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-mount
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/mount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-mount
/etc/audit/rules.d/audit.rules
False
@@ -2915,11 +2915,11 @@ If the command does not return lines that match the example or the lines are com
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-umount
+ -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/umount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-umount
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/umount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-umount
/etc/audit/rules.d/audit.rules
False
@@ -2939,11 +2939,11 @@ If the command does not return lines that match the example or the lines are com
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh
+ -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/ssh-agent\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-ssh
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/ssh-agent\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-ssh
/etc/audit/rules.d/audit.rules
False
@@ -2963,11 +2963,11 @@ If the command does not return lines that match the example or the lines are com
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh
+ -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/lib/openssh/ssh-keysign\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-ssh
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/lib/openssh/ssh-keysign\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-ssh
/etc/audit/rules.d/audit.rules
False
@@ -2987,7 +2987,7 @@ If the command does not return lines that match the example or the lines are com
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
+ -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -2995,7 +2995,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_mod
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_mod
/etc/audit/rules.d/audit.rules
False
@@ -3039,7 +3039,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
+ -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3047,7 +3047,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_mod
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_mod
/etc/audit/rules.d/audit.rules
False
@@ -3091,7 +3091,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_chng
+ -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3099,7 +3099,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng
/etc/audit/rules.d/audit.rules
False
@@ -3117,7 +3117,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_chng
+ -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3125,7 +3125,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng
/etc/audit/rules.d/audit.rules
False
@@ -3143,7 +3143,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng
+ -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3151,7 +3151,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng
/etc/audit/rules.d/audit.rules
False
@@ -3169,7 +3169,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng
+ -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3177,7 +3177,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng
/etc/audit/rules.d/audit.rules
False
@@ -3195,7 +3195,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
+ -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3203,7 +3203,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_access
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_access
/etc/audit/rules.d/audit.rules
False
@@ -3221,7 +3221,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
+ -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3229,7 +3229,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_access
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_access
/etc/audit/rules.d/audit.rules
False
@@ -3247,7 +3247,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
+ -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3255,7 +3255,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_access
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_access
/etc/audit/rules.d/audit.rules
False
@@ -3273,7 +3273,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
+ -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3281,7 +3281,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_access
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_access
/etc/audit/rules.d/audit.rules
False
@@ -3299,11 +3299,11 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
+ -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudo\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*priv_cmd
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudo\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*priv_cmd
/etc/audit/rules.d/audit.rules
False
@@ -3323,11 +3323,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
+ -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudoedit\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*priv_cmd
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudoedit\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*priv_cmd
/etc/audit/rules.d/audit.rules
False
@@ -3347,11 +3347,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
+ -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chsh\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*priv_cmd
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chsh\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*priv_cmd
/etc/audit/rules.d/audit.rules
False
@@ -3371,11 +3371,11 @@ If the command does not return a line that matches the example or the line is co
Notes: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
+ -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/newgrp\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*priv_cmd
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/newgrp\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*priv_cmd
/etc/audit/rules.d/audit.rules
False
@@ -3395,11 +3395,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
+ -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chcon\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chcon\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng
/etc/audit/rules.d/audit.rules
False
@@ -3419,11 +3419,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
+ -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/sbin/apparmor_parser\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/sbin/apparmor_parser\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng
/etc/audit/rules.d/audit.rules
False
@@ -3443,11 +3443,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
+ -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/setfacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/setfacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng
/etc/audit/rules.d/audit.rules
False
@@ -3467,11 +3467,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
+ -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng
/etc/audit/rules.d/audit.rules
False
@@ -3493,11 +3493,11 @@ Note: The '-k' allows for specifying an arbitrary identifier and the string afte
If the command does not return a line that matches the example or the line is commented out, this is a finding.
- -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passwd
+ -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/passwd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-passwd
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/passwd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-passwd
/etc/audit/rules.d/audit.rules
False
@@ -3517,11 +3517,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update
+ -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/sbin/unix_update\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-unix-update
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/sbin/unix_update\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-unix-update
/etc/audit/rules.d/audit.rules
False
@@ -3541,11 +3541,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-gpasswd
+ -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/gpasswd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-gpasswd
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/gpasswd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-gpasswd
/etc/audit/rules.d/audit.rules
False
@@ -3565,11 +3565,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage
+ -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chage\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-chage
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chage\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-chage
/etc/audit/rules.d/audit.rules
False
@@ -3589,11 +3589,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod
+ -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/usermod\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-usermod
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/usermod\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-usermod
/etc/audit/rules.d/audit.rules
False
@@ -3613,11 +3613,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-crontab
+ -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/crontab\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-crontab
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/crontab\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-crontab
/etc/audit/rules.d/audit.rules
False
@@ -3637,11 +3637,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-pam_timestamp_check
+ -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/pam_timestamp_check\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-pam_timestamp_check
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/pam_timestamp_check\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-pam_timestamp_check
/etc/audit/rules.d/audit.rules
False
@@ -3661,11 +3661,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng
+ -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*module_chng
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*module_chng
/etc/audit/rules.d/audit.rules
False
@@ -3683,11 +3683,11 @@ The '-k' allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng
+ -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*module_chng
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*module_chng
/etc/audit/rules.d/audit.rules
False
@@ -3801,13 +3801,13 @@ The '-k' allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k delete
+ -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*unlink,unlinkat,rename,renameat,rmdir\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*delete
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*unlink,unlinkat,rename,renameat,rmdir\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*delete
/etc/audit/rules.d/audit.rules
False
@@ -3825,13 +3825,13 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k delete
+ -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*unlink,unlinkat,rename,renameat,rmdir\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*delete
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*unlink,unlinkat,rename,renameat,rmdir\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*delete
/etc/audit/rules.d/audit.rules
False
diff --git a/source/StigData/Processed/Ubuntu-18.04-2.8.xml b/source/StigData/Processed/Ubuntu-18.04-2.8.xml
index 02b2eb046..ab6a33310 100644
--- a/source/StigData/Processed/Ubuntu-18.04-2.8.xml
+++ b/source/StigData/Processed/Ubuntu-18.04-2.8.xml
@@ -2842,11 +2842,11 @@ disk_full_action = HALT
If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.
- -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-priv_change
+ -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/su\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-priv_change
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/su\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-priv_change
/etc/audit/rules.d/audit.rules
False
@@ -2866,11 +2866,11 @@ If the command does not return lines that match the example or the lines are com
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn
+ -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chfn\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-chfn
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chfn\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-chfn
/etc/audit/rules.d/audit.rules
False
@@ -2890,11 +2890,11 @@ If the command does not return lines that match the example or the lines are com
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount
+ -a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/mount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-mount
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/mount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-mount
/etc/audit/rules.d/audit.rules
False
@@ -2914,11 +2914,11 @@ If the command does not return lines that match the example or the lines are com
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-umount
+ -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/umount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-umount
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/umount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-umount
/etc/audit/rules.d/audit.rules
False
@@ -2938,11 +2938,11 @@ If the command does not return lines that match the example or the lines are com
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh
+ -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/ssh-agent\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-ssh
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/ssh-agent\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-ssh
/etc/audit/rules.d/audit.rules
False
@@ -2962,11 +2962,11 @@ If the command does not return lines that match the example or the lines are com
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh
+ -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/lib/openssh/ssh-keysign\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-ssh
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/lib/openssh/ssh-keysign\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-ssh
/etc/audit/rules.d/audit.rules
False
@@ -2986,7 +2986,7 @@ If the command does not return lines that match the example or the lines are com
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
+ -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -2994,7 +2994,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_mod
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_mod
/etc/audit/rules.d/audit.rules
False
@@ -3038,7 +3038,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
+ -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3046,7 +3046,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_mod
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_mod
/etc/audit/rules.d/audit.rules
False
@@ -3090,7 +3090,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_chng
+ -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3098,7 +3098,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng
/etc/audit/rules.d/audit.rules
False
@@ -3116,7 +3116,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_chng
+ -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3124,7 +3124,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng
/etc/audit/rules.d/audit.rules
False
@@ -3142,7 +3142,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng
+ -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3150,7 +3150,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng
/etc/audit/rules.d/audit.rules
False
@@ -3168,7 +3168,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng
+ -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3176,7 +3176,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng
/etc/audit/rules.d/audit.rules
False
@@ -3194,7 +3194,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
+ -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3202,7 +3202,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_access
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_access
/etc/audit/rules.d/audit.rules
False
@@ -3220,7 +3220,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
+ -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3228,7 +3228,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_access
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_access
/etc/audit/rules.d/audit.rules
False
@@ -3246,7 +3246,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
+ -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3254,7 +3254,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_access
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_access
/etc/audit/rules.d/audit.rules
False
@@ -3272,7 +3272,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
+ -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
@@ -3280,7 +3280,7 @@ Audit records can be generated from various components within the information sy
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.
Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_access
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_access
/etc/audit/rules.d/audit.rules
False
@@ -3298,11 +3298,11 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
+ -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudo\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*priv_cmd
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudo\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*priv_cmd
/etc/audit/rules.d/audit.rules
False
@@ -3322,11 +3322,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
+ -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudoedit\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*priv_cmd
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudoedit\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*priv_cmd
/etc/audit/rules.d/audit.rules
False
@@ -3346,11 +3346,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
+ -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chsh\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*priv_cmd
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chsh\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*priv_cmd
/etc/audit/rules.d/audit.rules
False
@@ -3370,11 +3370,11 @@ If the command does not return a line that matches the example or the line is co
Notes: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
+ -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/newgrp\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*priv_cmd
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/newgrp\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*priv_cmd
/etc/audit/rules.d/audit.rules
False
@@ -3394,11 +3394,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
+ -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chcon\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chcon\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng
/etc/audit/rules.d/audit.rules
False
@@ -3418,11 +3418,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
+ -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/sbin/apparmor_parser\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/sbin/apparmor_parser\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng
/etc/audit/rules.d/audit.rules
False
@@ -3442,11 +3442,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
+ -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/setfacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/setfacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng
/etc/audit/rules.d/audit.rules
False
@@ -3466,11 +3466,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
+ -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng
/etc/audit/rules.d/audit.rules
False
@@ -3492,11 +3492,11 @@ Note: The '-k' allows for specifying an arbitrary identifier and the string afte
If the command does not return a line that matches the example or the line is commented out, this is a finding.
- -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passwd
+ -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/passwd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-passwd
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/passwd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-passwd
/etc/audit/rules.d/audit.rules
False
@@ -3516,11 +3516,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update
+ -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/sbin/unix_update\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-unix-update
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/sbin/unix_update\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-unix-update
/etc/audit/rules.d/audit.rules
False
@@ -3540,11 +3540,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-gpasswd
+ -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/gpasswd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-gpasswd
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/gpasswd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-gpasswd
/etc/audit/rules.d/audit.rules
False
@@ -3564,11 +3564,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage
+ -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chage\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-chage
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chage\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-chage
/etc/audit/rules.d/audit.rules
False
@@ -3588,11 +3588,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod
+ -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/usermod\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-usermod
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/usermod\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-usermod
/etc/audit/rules.d/audit.rules
False
@@ -3612,11 +3612,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-crontab
+ -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/crontab\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-crontab
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/crontab\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-crontab
/etc/audit/rules.d/audit.rules
False
@@ -3636,11 +3636,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-pam_timestamp_check
+ -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/pam_timestamp_check\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-pam_timestamp_check
+ #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/pam_timestamp_check\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-pam_timestamp_check
/etc/audit/rules.d/audit.rules
False
@@ -3660,11 +3660,11 @@ If the command does not return a line that matches the example or the line is co
Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above.
- -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng
+ -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*module_chng
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*module_chng
/etc/audit/rules.d/audit.rules
False
@@ -3682,11 +3682,11 @@ The '-k' allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng
+ -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*module_chng
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*module_chng
/etc/audit/rules.d/audit.rules
False
@@ -3800,13 +3800,13 @@ The '-k' allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k delete
+ -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*unlink,unlinkat,rename,renameat,rmdir\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*delete
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*unlink,unlinkat,rename,renameat,rmdir\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*delete
/etc/audit/rules.d/audit.rules
False
@@ -3824,13 +3824,13 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d
- -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k delete
+ -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the information system (e.g., module or policy filter).
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*unlink,unlinkat,rename,renameat,rmdir\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*delete
+ #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*unlink,unlinkat,rename,renameat,rmdir\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*delete
/etc/audit/rules.d/audit.rules
False