From 98e06464ebbd962cd2b41c6d69db3a01918e65f2 Mon Sep 17 00:00:00 2001
From: Antoine Viallon <antoine@lesviallon.fr>
Date: Mon, 11 Mar 2024 00:18:34 +0100
Subject: [PATCH] [Hardening] ignore execve where auid is unset (services,
 typically)

---
 security/hardening.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/hardening.nix b/security/hardening.nix
index a19d8fc..c4bf2fd 100644
--- a/security/hardening.nix
+++ b/security/hardening.nix
@@ -123,8 +123,8 @@ in
           
           "-a exit,always -F arch=b64 -S init_module -S finit_module -k module_insertion"
           "-a exit,always -F arch=b32 -S init_module -S finit_module -k module_insertion"
-          "-a exit,always -F arch=b64 -C auid!=euid -F euid=0 -S execve -k privesc_execve"
-          "-a exit,always -F arch=b32 -C auid!=euid -F euid=0 -S execve -k privesc_execve"
+          "-a exit,always -F arch=b64 -C auid!=euid -F auid!=unset -F euid=0 -S execve -k privesc_execve"
+          "-a exit,always -F arch=b32 -C auid!=euid -F auid!=unset -F euid=0 -S execve -k privesc_execve"
          ]
       ++ optional cfg.expensive "-a exit,always -F arch=b64 -S execve -k execve_calls"
     ;