Comparing the "official" STIG content with the scap-security-guide content, the former seems to have added corresponding rules for "-F auid=0" that aren't present in scap-security guide. i.e. where scap-security-guide will just have one rule:
-a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid>=500 -F auid!=4294967295 -k delete the official content will have the above plus: -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid=0 -k delete Is the addition necessary? It doesn't seem to be, as the rules caught root usage of, for example, chmod just fine without it (I had used su; not sure if there's a difference between that and other ways of being root.) I would like to make sure I'm right before asking one group or the other to delete or add it, respectively. --Ray -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit