From mboxrd@z Thu Jan  1 00:00:00 1970
From: Valdis.Kletnieks@vt.edu
Subject: Re: Way too many logs!
Date: Fri, 09 May 2008 17:29:04 -0400
Message-ID: <21796.1210368544@turing-police.cc.vt.edu>
References: <482479DC020000100005CB37@gsi.gracon.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1163076533=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m49LTFGv030221
	for <linux-audit@redhat.com>; Fri, 9 May 2008 17:29:15 -0400
Received: from turing-police.cc.vt.edu (turing-police.cc.vt.edu
	[128.173.14.107])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m49LT5T8000358
	for <linux-audit@redhat.com>; Fri, 9 May 2008 17:29:05 -0400
In-Reply-To: Your message of "Fri, 09 May 2008 16:20:44 EDT."
	<482479DC020000100005CB37@gsi.gracon.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Jeremy Leonard <jeremyl@gracon.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

--===============1163076533==
Content-Type: multipart/signed; boundary="==_Exmh_1210368544_2925P";
	micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit

--==_Exmh_1210368544_2925P
Content-Type: text/plain; charset=us-ascii

On Fri, 09 May 2008 16:20:44 EDT, Jeremy Leonard said:
> -a exit,always -S sched_setparam -S sched_setscheduler -k RULE7 

> type=SYSCALL msg=audit(04/25/08 16:37:48.568:194518) : arch=i386 syscall=_newselect 

OK, I'll bite - why is a select() syscall tripping sched_setparam or sched_setschdeduler?

Or more importantly - are those two cutting audit events for the wrong reasons?

(In other words, should the kernel be doing the "trim it to only user-initiated
changes" that Steve Grubb suggested 'uid>500' as a workaround?

--==_Exmh_1210368544_2925P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFIJMIgcC3lWbTT17ARAvMHAKCpwo5tMjRI4wYIflyuxJnRjb29PACfVMsE
tgL2MVQwCoveAwkMfNnusUw=
=lW2l
-----END PGP SIGNATURE-----

--==_Exmh_1210368544_2925P--


--===============1163076533==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1163076533==--