Linux-audit Archive on
 help / color / Atom feed
From: Todd Heberlein <>
To: Steve Grubb <>
Subject: Re: httpd auid = -1
Date: Thu, 30 Jul 2020 11:47:05 -0700
Message-ID: <> (raw)
In-Reply-To: <1740602.XSbsyeiCUq@x2>


This has some interesting implications regarding attackers coming in through a vulnerability in an organization's web services. I’ll have to compare what relevant information I can capture in the audit logs vs. what is captured in web server logs.


> On Jul 30, 2020, at 11:29 AM, Steve Grubb <> wrote:
> On Thursday, July 30, 2020 1:54:09 PM EDT Todd Heberlein wrote:
>> I’ve noticed that the httpd process on a CentOS 7.7 system I am working
>> with is running with an Audit ID of -1. Example ID values are:
>>        auid=4294967295
>>        uid=48
>>        gid=48
>>        ...
>> So if use the standard filter "-F auid!=-1” in the audit rules I do not see
>> httpd activity.
>> Is this common?
> Yes, this is common. Most people are interested in the actions that people
> take on the machine rather than normal system functioning.
>> How do I change the auid to something else, so I can capture the httpd
>> activity in the audit log?
> A couple of ways. 
> 1) remove the auid!=-1. That will get you all daemons.
> 2) Use audit by executable rules:
> -a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/httpd -F key=httpd-exec
> -Steve 
>> Example audit line:
>> type=SYSCALL msg=audit(1596065566.721:31357): arch=c000003e syscall=2
>> success=yes exit=15 a0=55a0a2d9b3c0 a1=80000 a2=0 a3=7ffe5d4d6720 items=1
>> ppid=1130 pid=1253 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
>> exe="/usr/sbin/httpd" key=(null)

Linux-audit mailing list

  reply index

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-30 17:54 Todd Heberlein
2020-07-30 18:29 ` Steve Grubb
2020-07-30 18:47   ` Todd Heberlein [this message]
2020-07-30 21:41     ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-audit Archive on

Archives are clonable:
	git clone --mirror linux-audit/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-audit linux-audit/ \
	public-inbox-index linux-audit

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone