public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed
* stopping "chatter"
@ 2007-11-02 20:30 Greg Hennessy
  2007-11-02 20:52 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: Greg Hennessy @ 2007-11-02 20:30 UTC (permalink / raw)
  To: Linux-audit

[-- Attachment #1: Type: text/plain, Size: 939 bytes --]

I need to configure auditing for certification reasons, but I'd like to
cut down on wasted disk space by ignoring known "chatter". On a newly installed
Redhat 5 workstation there seems to be an open of /var/run/utmp every 10 seconds,
which fills the log files. I'd like to ignore these, but my first attempt doesn't
seem to work. I'm admittedly a novice at configuring auditd.

[root@foo ~]# aureport -f --summary | head -10

File Summary Report
===========================
total  file
===========================
136065  /var/run/utmp
5283  /etc/symc-defutils.conf
795  /home/fsotest/.gconf/apps/puplet/
662  /usr/include/linux/
599  /dev/null
[root@foo ~]# auditctl -l | grep utmp
[root@foo ~]# auditctl -a exit,never -w /var/run/utmp
[root@foo ~]# auditctl -l | grep utmp
LIST_RULES: exit,always watch=/var/run/utmp perm=rwxa
[root@foo ~]#

What would be the proper syntax to get auditctl to
ignore the open attempts to /var/run/utmp?


[-- Attachment #2: greg.hennessy.vcf --]
[-- Type: text/x-vcard, Size: 278 bytes --]

begin:vcard
fn:Greg Hennessy
n:Hennessy;Greg
org:USNO;Astrometry Department
adr:;;3450 Mass. Ave. NW;Washington;DC;20392;USA
email;internet:gsh@usno.navy.mil
title:Astronomer
tel;work:(202) 762-1523
tel;fax:(202) 762-1514
url:http://ad.usno.navy.mil/~gsh
version:2.1
end:vcard


[-- Attachment #3: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: stopping "chatter"
  2007-11-02 20:30 stopping "chatter" Greg Hennessy
@ 2007-11-02 20:52 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2007-11-02 20:52 UTC (permalink / raw)
  To: linux-audit, gsh

On Friday 02 November 2007 04:30:33 pm Greg Hennessy wrote:
> 136065  /var/run/utmp
>
> What would be the proper syntax to get auditctl to
> ignore the open attempts to /var/run/utmp?

The audit system would not normally record access to that file unless it was 
told to. Do you see a rule that is watching that file? If so, comment it out 
or modify the rule so that it only watches for more unusual accesses like 
accessing it when there's a permission denied something like:

auditctl -a exit,always -F exit=-13 -F perm=wra -F path=/var/run/utmp

-Steve

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-11-02 20:52 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-11-02 20:30 stopping "chatter" Greg Hennessy
2007-11-02 20:52 ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox