From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: stopping "chatter"
Date: Fri, 2 Nov 2007 16:52:08 -0400
Message-ID: <200711021652.09236.sgrubb@redhat.com>
References: <472B88E9.1050008@navy.mil>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <472B88E9.1050008@navy.mil>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com, gsh@usno.navy.mil
List-Id: linux-audit@redhat.com

On Friday 02 November 2007 04:30:33 pm Greg Hennessy wrote:
> 136065 =C2=A0/var/run/utmp
>
> What would be the proper syntax to get auditctl to
> ignore the open attempts to /var/run/utmp?

The audit system would not normally record access to that file unless it =
was=20
told to. Do you see a rule that is watching that file? If so, comment it =
out=20
or modify the rule so that it only watches for more unusual accesses like=
=20
accessing it when there's a permission denied something like:

auditctl -a exit,always -F exit=3D-13 -F perm=3Dwra -F path=3D/var/run/ut=
mp

-Steve