I'd like to see the audit -k field names match whatever we call the
actual check. Right now they're (fairly arbitrary) strings from the
stig.rules file. Any objection to changing them to match the rule name?
I noticed many of the audit rules apply the "-F auid>=500 -F
auid!=4294967295" fields, and I'm not fully sure I agree with it. It
looks like these were taken from the stig.rules sample file that ships
This presumes that system administrators are following UID naming
schemes. I suppose we could create a "no UIDs < 500" check, but I'd
rather eliminate the "-F auid>=500 -F auid!=4294967295" from the audit
rules to ensure those with less than noble intent can't create a UID <
500 and escape auditing. By reference, all our Common Criteria profiles
to not have the auid checks.
What's the consensus -- keep or remove auid flags?