Filtering audit events

[Steve Grubb]

On Monday, August 31, 2015 09:58:42 AM rshaw1 at umbc.edu wrote:
> > If you use the -i argument to ausearch, it becomes more clear what the
> > issue is. The problem is that the program is opening the file for read and
> > write, but the permissions are just for group read. If that file were
> > 0660, then you would not get this audit event.
> 
> Hrm.  The process is running as the root user, though.  It's going over
> the whole filesystem (for backups).

But look at all the uids it has:

auid=7538 uid=0 gid=9002 euid=4990 suid=4990 fsuid=4990
egid=9002 sgid=9002 fsgid=9002 

I'm betting it;s a setuid program and is being prevented by various checks. 
Its effective uid is 4990, its fsuid is 4990. If changing the permissions is 
acceptable and fixes its, that what I'd do.

-Steve