If you use the -i argument to ausearch, it becomes more clear what
the
issue is. The problem is that the program is opening the file for read and
write, but the permissions are just for group read. If that file were
0660, then you would not get this audit event.
Hrm. The process is running as the root user, though. It's going over
the whole filesystem (for backups).
>The STIG-compliant audit ruleset we're using seems to generate
a lot of
>these, and I'm concerned that may be affecting the performance of the app
>in question (also, I consider it log spam). I tried the following rule
>(plus a few variations like ogid), but it doesn't seem to be working:
>
>-a exit,never -F gid=9002 -k exclude
This should work as long as its before the open rule. Rules are processed
from top to bottom with first match winning.
>What would be the best way to approach this?
It's pretty much at the top, well before the open rule. There are only
two other exclude rules before it, and the general settings:
-D
-b 8192
-f 1
This is on RHEL6, if that matters.
--Ray