PURPOSE of /CoreOS/audit/Regression/bz670938-searching-on-auid-1-results-in-all-events
Description: Bug 670938 - searching on auid = -1 results in all events
Author: Eduard Benes <ebenes@redhat.com>

When an audit rules such as this is loaded on a 32 bit system:

-a exit,always -S creat -S open -S openat -S truncate -S ftruncate -F success=0
-F auid!=-1

System processes (ones with auid == -1) still get logged. This is because the
auid is converted using a signed conversion and then compared in the kernel
unsigned. Since 2147483647 does not equal 4294967295, the rule never triggers.
Listing the rule back out with "auditctl -l" shows that auid=2147483647
(0x7fffffff) is loaded rather than 4294967295.

Second issue tracked in this bug was with getting records for auid 4294967295
with ausearch. This resulted in all records rather than the one wanted. The 
query was something like this:

ausearch -ul 4294967295 -if ./audit.log

Where audit.log had the following event

type=USER_AUTH msg=audit(1258740386.638:288): user pid=28360 uid=500 auid=500
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:authentication acct="root"
exe="/usr/libexec/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=?
res=failed'