stopping "chatter" - Greg Hennessy

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Greg Hennessy <greg.hennessy@navy.mil>
To: Linux-audit@redhat.com
Subject: stopping "chatter"
Date: Fri, 02 Nov 2007 16:30:33 -0400	[thread overview]
Message-ID: <472B88E9.1050008@navy.mil> (raw)

[-- Attachment #1: Type: text/plain, Size: 939 bytes --]

I need to configure auditing for certification reasons, but I'd like to
cut down on wasted disk space by ignoring known "chatter". On a newly installed
Redhat 5 workstation there seems to be an open of /var/run/utmp every 10 seconds,
which fills the log files. I'd like to ignore these, but my first attempt doesn't
seem to work. I'm admittedly a novice at configuring auditd.

[root@foo ~]# aureport -f --summary | head -10

File Summary Report
===========================
total  file
===========================
136065  /var/run/utmp
5283  /etc/symc-defutils.conf
795  /home/fsotest/.gconf/apps/puplet/
662  /usr/include/linux/
599  /dev/null
[root@foo ~]# auditctl -l | grep utmp
[root@foo ~]# auditctl -a exit,never -w /var/run/utmp
[root@foo ~]# auditctl -l | grep utmp
LIST_RULES: exit,always watch=/var/run/utmp perm=rwxa
[root@foo ~]#

What would be the proper syntax to get auditctl to
ignore the open attempts to /var/run/utmp?

[-- Attachment #2: greg.hennessy.vcf --]
[-- Type: text/x-vcard, Size: 278 bytes --]

begin:vcard
fn:Greg Hennessy
n:Hennessy;Greg
org:USNO;Astrometry Department
adr:;;3450 Mass. Ave. NW;Washington;DC;20392;USA
email;internet:gsh@usno.navy.mil
title:Astronomer
tel;work:(202) 762-1523
tel;fax:(202) 762-1514
url:http://ad.usno.navy.mil/~gsh
version:2.1
end:vcard

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

next             reply	other threads:[~2007-11-02 20:30 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-11-02 20:30 Greg Hennessy [this message]
2007-11-02 20:52 ` stopping "chatter" Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=472B88E9.1050008@navy.mil \
    --to=greg.hennessy@navy.mil \
    --cc=Linux-audit@redhat.com \
    --cc=gsh@usno.navy.mil \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox