I noticed many of the audit rules apply the "-F auid>=500 -F
auid!=4294967295" fields, and I'm not fully sure I agree with it. It
looks like these were taken from the stig.rules sample file that ships
with RHEL.
This presumes that system administrators are following UID naming
schemes. I suppose we could create a "no UIDs < 500" check, but I'd
rather eliminate the "-F auid>=500 -F auid!=4294967295" from the audit
rules to ensure those with less than noble intent can't create a UID <
500 and escape auditing. By reference, all our Common Criteria profiles
to not have the auid checks.
What's the consensus -- keep or remove auid flags?