From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: the meaning of this audit entry Date: Tue, 20 Nov 2007 21:22:19 -0500 Message-ID: <200711202122.19682.sgrubb@redhat.com> References: <12635.72.245.30.196.1195507332.squirrel@aa.usno.navy.mil> <200711191706.33466.sgrubb@redhat.com> <14222.199.211.133.254.1195573007.squirrel@aa.usno.navy.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <14222.199.211.133.254.1195573007.squirrel@aa.usno.navy.mil> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday 20 November 2007 10:36:47 am Bill Tangren wrote: > type=SYSCALL msg=audit(11/20/2007 10:24:00.060:2971371) : arch=i386 > syscall=read success=no exit=-11(Resource temporarily unavailable) a0=12 > a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538 auid=bjt uid=root gid=root > euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=X > exe=/usr/X11R6/bin/Xorg Yeah, see this is a wee bit more readable. I think you have a rule for reads with success != yes. The only thing you might want to worry about is failed access attempts. They have success=no, but their exit code is different. > Now, this system is plugged into a KVM switch, and sometimes the sysadmin > who logs into the GUI stays logged in for days (he forgots to log out), I'd think some auto logout rules would solve that. ;) > I don't know if any of this has anything to do with why I'm getting 500MB > worth of logs every day, That is excessive. I think it shows you need to refactor your rules. -Steve