I am trying to implement STIG rules for our system.  I modified Steve Grubbs' stig.rules for my audit.rules file.  Included

was the rule

 

-a exit,always -F arch=b64 -S chmod -S fchmod -F auid>=500 -F auid!=4294967296 -k perm_mod

 

which I understand should exempt root and unset processes from having these system calls captured.  Yet

in our audit.logs there was a torrent of records of the sort

 

type=SYSCALL msg=audit(1326897520.970:2005250): arch=c000003e syscall=91 per=400000 success=yes exit=0 a0=1 a1=100 a2=0 a3=7fff21800870 items=1 ppid=3536 pid=20965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="time_adjust.ksh" exe="/bin/ksh93" key="perm_mod"

type=PATH msg=audit(1326897520.970:2005250): item=0 name=(null) inode=25631356 dev=00:05 mode=0140777 ouid=0 ogid=0 rdev=00:00

 

and

 

type=SYSCALL msg=audit(1326897480.144:2005238): arch=c000003e syscall=91 per=400000 success=yes exit=0 a0=5 a1=100 a2=0 a3=7fffa8f157d0 items=1 ppid=20707 pid=20726 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="find_client_sta" exe="/bin/ksh93" key="perm_mod"

type=PATH msg=audit(1326897480.144:2005238): item=0 name=(null) inode=25630808 dev=00:05 mode=0140777 ouid=0 ogid=0 rdev=00:00

 

I need to get rid of them to make annalysis possible and to avoid soaking up disk space.

 

find_client_status.ksh and time_adjust.ksh are both scripts that are spawned by a daemon running as root.

 

I attach my version of audit.rules.