I am trying to implement STIG rules for our system. I modified Steve Grubbs' stig.rules for my audit.rules file. Included was the rule
-a exit,always -F arch=b64 -S chmod -S fchmod -F auid>=500 -F auid!=4294967296 -k perm_mod which I understand should exempt root and unset processes from having these system calls captured. Yet in our audit.logs there was a torrent of records of the sort type=SYSCALL msg=audit(1326897520.970:2005250): arch=c000003e syscall=91 per=400000 success=yes exit=0 a0=1 a1=100 a2=0 a3=7fff21800870 items=1 ppid=3536 pid=20965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="time_adjust.ksh" exe="/bin/ksh93" key="perm_mod" type=PATH msg=audit(1326897520.970:2005250): item=0 name=(null) inode=25631356 dev=00:05 mode=0140777 ouid=0 ogid=0 rdev=00:00 and type=SYSCALL msg=audit(1326897480.144:2005238): arch=c000003e syscall=91 per=400000 success=yes exit=0 a0=5 a1=100 a2=0 a3=7fffa8f157d0 items=1 ppid=20707 pid=20726 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="find_client_sta" exe="/bin/ksh93" key="perm_mod" type=PATH msg=audit(1326897480.144:2005238): item=0 name=(null) inode=25630808 dev=00:05 mode=0140777 ouid=0 ogid=0 rdev=00:00 I need to get rid of them to make annalysis possible and to avoid soaking up disk space. find_client_status.ksh and time_adjust.ksh are both scripts that are spawned by a daemon running as root. I attach my version of audit.rules.
audit_rules
Description: audit_rules
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
