[Hardening] ignore execve where auid is unset (services, typically)

2026-04-05 17:27:50 +00:00 · 2024-03-11 00:18:34 +01:00 · 2024-03-11 00:18:34 +01:00 · 98e06464eb
commit 98e06464eb
parent 470e333d00
1 changed files with 2 additions and 2 deletions
--- a/security/hardening.nix
+++ b/security/hardening.nix
@ -123,8 +123,8 @@ in
          
          "-a exit,always -F arch=b64 -S init_module -S finit_module -k module_insertion"
          "-a exit,always -F arch=b32 -S init_module -S finit_module -k module_insertion"
-          "-a exit,always -F arch=b64 -C auid!=euid -F euid=0 -S execve -k privesc_execve"
-          "-a exit,always -F arch=b32 -C auid!=euid -F euid=0 -S execve -k privesc_execve"
+          "-a exit,always -F arch=b64 -C auid!=euid -F auid!=unset -F euid=0 -S execve -k privesc_execve"
+          "-a exit,always -F arch=b32 -C auid!=euid -F auid!=unset -F euid=0 -S execve -k privesc_execve"
         ]
      ++ optional cfg.expensive "-a exit,always -F arch=b64 -S execve -k execve_calls"
    ;