I have some puzzling behavior, can anyone shed some light here?
I have a script in cron.weekly that has a command being executed which I am auditing for execve. That part seems to work fine. However, in the detailed audit report my user id is associated with the execution. Root owns the files there and ultimately root is the effective UID in the record, but why am I associated with the activity at all?
Audit version is: 2.0.4-1
Kernel version is: 2.6.32-71
I did not notice this behavior in RHEL5.