What's the difference between auid, uid, euid, suid, fsuid, obj_uid, gid, egid, sgid, fsgid, obj_gid in `auditctl`?

My server is centos7.6 with auditd 2.8.5

In audit rule, I set:
-a always,exit -F arch=b32 -S adjtimex,settimeofday -F key=time-change
But this rule also record normal ntpd activities,then I tried to revise this rule to:

-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F subj_type!=ntpd_t  -F auid!=chrony -F auid!=ntp -F auid!=chrony -F auid!=ntp -F key=time-change

Should use auid!=ntp or uid!=ntp? I checked the manual:

Each inter-field equation is anded with each other as well as equations starting with -F to trigger an audit record. There are 2 operators supported - equal, and not equal. Valid fields are: auid, uid, euid, suid, fsuid, obj_uid, gid, egid, sgid, fsgid, obj_gid

I am confused, what's the difference between auid, uid, euid, suid, fsuid, obj_uid, gid, egid, sgid, fsgid, obj_gid in auditctl?


The audit manual assumes you are familiar with a POSIX security model and the many types of uids. Read man credentials to get more familiar with that. However, that is incomplete, reference a security guide (such as the RHEL Audit System Reference) for the rest. Notably:

auid

Records the Audit user ID. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with su - john).


A rule and its exceptions could be written on one line for efficiency. However, I sometimes start with more simpler rules. Easier to understand, and piece together examples.


auditd ships with example rules for auditing time change and ignoring chronyd. Look at /usr/share/doc/audit*/rules/22-ignore-chrony.rules:

## This rule suppresses the time-change event when chrony does time updates
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -Fuid=chrony -F subj_type=chronyd_t
-a never,exit -F arch=b32 -S adjtimex -F auid=unset -Fuid=chrony -F subj_type=chronyd_t

"On a 64 bit platform, for the adjtimex call, when audit UID does not exist (not a login shell), and user name is chrony, and SELinux context is chronyd_t, never log."

Actually, that example may have a bug. With chronyd running under systemd, and the example rules from 30-pci-dss-v31.rules, I found audit events as uid 0.

type=SYSCALL msg=audit(1552670692.891:1067): arch=c000003e syscall=159 success=yes exit=5 a0=7ffe0d94ae10 a1=0 a2=55e857a3af60 a3=0 items=0 ppid=1 pid=6487 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key="10.4.2b-time-change"

ps reports it running as user chrony, and in the chronyd_t context. So it is confined, but auditd reflects how systemd started it as root.

Try the condition -F auid=unset -F subj_type=chronyd_t. Not from a login shell and in the correct context is good enough for me.

(This subsystem has its quirks. The only place I was able to translate auid=4294967295 to unset is the mailing list.)