httpd auid = -1

Todd Heberlein Thu, 30 Jul 2020 15:04:43 -0700

I’ve noticed that the httpd process on a CentOS 7.7 system I am working with is 
running with an Audit ID of -1. Example ID values are:


        auid=4294967295
        uid=48
        gid=48
        ...

So if use the standard filter "-F auid!=-1” in the audit rules I do not see 
httpd activity.

Is this common?

How do I change the auid to something else, so I can capture the httpd activity 
in the audit log?


Example audit line:

type=SYSCALL msg=audit(1596065566.721:31357): arch=c000003e syscall=2 
success=yes exit=15 a0=55a0a2d9b3c0 a1=80000 a2=0 a3=7ffe5d4d6720 items=1 
ppid=1130 pid=1253 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 
egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" 
exe="/usr/sbin/httpd" key=(null)


Thanks,

Todd


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

httpd auid = -1

Reply via email to