From mboxrd@z Thu Jan  1 00:00:00 1970
From: rshaw1@umbc.edu
Subject: Re: Filtering audit events
Date: Mon, 31 Aug 2015 09:58:42 -0400
Message-ID: <84a967ab2e861435cc1d0c3553aef15f.squirrel@webmail.umbc.edu>
References: <80528828ce7a24c2d9ed2e16b46f4fb6.squirrel@webmail.umbc.edu>
	<1315756444.19796884.1441027336015.JavaMail.zimbra@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com
	[10.5.110.32])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id t7VDwiTL021342
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Mon, 31 Aug 2015 09:58:45 -0400
Received: from mx3.umbc.edu (mx3.umbc.edu [130.85.25.78])
	by mx1.redhat.com (Postfix) with ESMTPS id 11046C23AFE3
	for <linux-audit@redhat.com>; Mon, 31 Aug 2015 13:58:43 +0000 (UTC)
Received: from smtp.umbc.edu (localhost [127.0.0.1])
	by umbc.edu (mx3.umbc.edu) with ESMTP id t7VDwhxD023007
	for <linux-audit@redhat.com>; Mon, 31 Aug 2015 09:58:43 -0400 (EDT)
Received: from webmail.umbc.edu (webmail2.umbc.edu [130.85.24.67])
	by smtp.umbc.edu (mx3-relay.umbc.edu) with ESMTP id t7VDwg6l022997
	for <linux-audit@redhat.com>; Mon, 31 Aug 2015 09:58:42 -0400 (EDT)
In-Reply-To: <1315756444.19796884.1441027336015.JavaMail.zimbra@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


> If you use the -i argument to ausearch, it becomes more clear what the
> issue is. The problem is that the program is opening the file for read and
> write, but the permissions are just for group read. If that file were
> 0660, then you would not get this audit event.

Hrm.  The process is running as the root user, though.  It's going over
the whole filesystem (for backups).

>>The STIG-compliant audit ruleset we're using seems to generate a lot of
>>these, and I'm concerned that may be affecting the performance of the app
>>in question (also, I consider it log spam).  I tried the following rule
>>(plus a few variations like ogid), but it doesn't seem to be working:
>>
>>-a exit,never -F gid=9002 -k exclude
>
> This should work as long as its before the open rule. Rules are processed
> from top to bottom with first match winning.
>
>>What would be the best way to approach this?

It's pretty much at the top, well before the open rule.  There are only
two other exclude rules before it, and the general settings:

-D
-b 8192
-f 1

This is on RHEL6, if that matters.

--Ray