<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <meta name="Generator" content="Microsoft Exchange Server">  <style></style> </head> <body> <font face="Calibri" size="2"><span style="font-size:11pt;"> <div>I am trying to implement STIG rules for our system. I modified Steve Grubbs' stig.rules for my audit.rules file. Included </div> <div>was the rule</div> <div> </div> <div>-a exit,always -F arch=b64 -S chmod -S fchmod -F auid>=500 -F auid!=4294967296 -k perm_mod</div> <div> </div> <div>which I understand should exempt root and unset processes from having these system calls captured. Yet</div> <div>in our audit.logs there was a torrent of records of the sort</div> <div> </div> <div>type=SYSCALL msg=audit(1326897520.970:2005250): arch=c000003e syscall=91 per=400000 success=yes exit=0 a0=1 a1=100 a2=0 a3=7fff21800870 items=1 ppid=3536 pid=20965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="time_adjust.ksh" exe="/bin/ksh93" key="perm_mod"</div> <div>type=PATH msg=audit(1326897520.970:2005250): item=0 name=(null) inode=25631356 dev=00:05 mode=0140777 ouid=0 ogid=0 rdev=00:00</div> <div> </div> <div>and</div> <div> </div> <div>type=SYSCALL msg=audit(1326897480.144:2005238): arch=c000003e syscall=91 per=400000 success=yes exit=0 a0=5 a1=100 a2=0 a3=7fffa8f157d0 items=1 ppid=20707 pid=20726 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="find_client_sta" exe="/bin/ksh93" key="perm_mod"</div> <div>type=PATH msg=audit(1326897480.144:2005238): item=0 name=(null) inode=25630808 dev=00:05 mode=0140777 ouid=0 ogid=0 rdev=00:00</div> <div> </div> <div>I need to get rid of them to make annalysis possible and to avoid soaking up disk space.</div> <div> </div> <div>find_client_status.ksh and time_adjust.ksh are both scripts that are spawned by a daemon running as root.</div> <div> </div> <div>I attach my version of audit.rules. </div> <div> </div> </span></font> </body> </html>