* stopping "chatter"
@ 2007-11-02 20:30 Greg Hennessy
2007-11-02 20:52 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Greg Hennessy @ 2007-11-02 20:30 UTC (permalink / raw)
To: Linux-audit
[-- Attachment #1: Type: text/plain, Size: 939 bytes --]
I need to configure auditing for certification reasons, but I'd like to
cut down on wasted disk space by ignoring known "chatter". On a newly installed
Redhat 5 workstation there seems to be an open of /var/run/utmp every 10 seconds,
which fills the log files. I'd like to ignore these, but my first attempt doesn't
seem to work. I'm admittedly a novice at configuring auditd.
[root@foo ~]# aureport -f --summary | head -10
File Summary Report
===========================
total file
===========================
136065 /var/run/utmp
5283 /etc/symc-defutils.conf
795 /home/fsotest/.gconf/apps/puplet/
662 /usr/include/linux/
599 /dev/null
[root@foo ~]# auditctl -l | grep utmp
[root@foo ~]# auditctl -a exit,never -w /var/run/utmp
[root@foo ~]# auditctl -l | grep utmp
LIST_RULES: exit,always watch=/var/run/utmp perm=rwxa
[root@foo ~]#
What would be the proper syntax to get auditctl to
ignore the open attempts to /var/run/utmp?
[-- Attachment #2: greg.hennessy.vcf --]
[-- Type: text/x-vcard, Size: 278 bytes --]
begin:vcard
fn:Greg Hennessy
n:Hennessy;Greg
org:USNO;Astrometry Department
adr:;;3450 Mass. Ave. NW;Washington;DC;20392;USA
email;internet:gsh@usno.navy.mil
title:Astronomer
tel;work:(202) 762-1523
tel;fax:(202) 762-1514
url:http://ad.usno.navy.mil/~gsh
version:2.1
end:vcard
[-- Attachment #3: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: stopping "chatter"
2007-11-02 20:30 stopping "chatter" Greg Hennessy
@ 2007-11-02 20:52 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2007-11-02 20:52 UTC (permalink / raw)
To: linux-audit, gsh
On Friday 02 November 2007 04:30:33 pm Greg Hennessy wrote:
> 136065 /var/run/utmp
>
> What would be the proper syntax to get auditctl to
> ignore the open attempts to /var/run/utmp?
The audit system would not normally record access to that file unless it was
told to. Do you see a rule that is watching that file? If so, comment it out
or modify the rule so that it only watches for more unusual accesses like
accessing it when there's a permission denied something like:
auditctl -a exit,always -F exit=-13 -F perm=wra -F path=/var/run/utmp
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-11-02 20:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-11-02 20:30 stopping "chatter" Greg Hennessy
2007-11-02 20:52 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox