From mboxrd@z Thu Jan  1 00:00:00 1970
From: Greg Hennessy <greg.hennessy@navy.mil>
Subject: stopping "chatter"
Date: Fri, 02 Nov 2007 16:30:33 -0400
Message-ID: <472B88E9.1050008@navy.mil>
Reply-To: gsh@usno.navy.mil
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------000208010909090209070809"
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id lA2KUgPL002593
	for <linux-audit@redhat.com>; Fri, 2 Nov 2007 16:30:42 -0400
Received: from ad.usno.navy.mil (beatrix.usno.navy.mil [198.116.61.254])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id lA2KUeUl006263
	for <Linux-audit@redhat.com>; Fri, 2 Nov 2007 16:30:40 -0400
Received: from [10.1.6.21] (libra.usno.navy.mil [10.1.6.21])
	(authenticated bits=0)
	by ad.usno.navy.mil (8.13.8/8.13.8) with ESMTP id lA2KUX8a003645
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <Linux-audit@redhat.com>; Fri, 2 Nov 2007 16:30:34 -0400
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multi-part message in MIME format.
--------------000208010909090209070809
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

I need to configure auditing for certification reasons, but I'd like to
cut down on wasted disk space by ignoring known "chatter". On a newly installed
Redhat 5 workstation there seems to be an open of /var/run/utmp every 10 seconds,
which fills the log files. I'd like to ignore these, but my first attempt doesn't
seem to work. I'm admittedly a novice at configuring auditd.

[root@foo ~]# aureport -f --summary | head -10

File Summary Report
===========================
total  file
===========================
136065  /var/run/utmp
5283  /etc/symc-defutils.conf
795  /home/fsotest/.gconf/apps/puplet/
662  /usr/include/linux/
599  /dev/null
[root@foo ~]# auditctl -l | grep utmp
[root@foo ~]# auditctl -a exit,never -w /var/run/utmp
[root@foo ~]# auditctl -l | grep utmp
LIST_RULES: exit,always watch=/var/run/utmp perm=rwxa
[root@foo ~]#

What would be the proper syntax to get auditctl to
ignore the open attempts to /var/run/utmp?


--------------000208010909090209070809
Content-Type: text/x-vcard; charset=utf-8;
 name="greg.hennessy.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="greg.hennessy.vcf"

begin:vcard
fn:Greg Hennessy
n:Hennessy;Greg
org:USNO;Astrometry Department
adr:;;3450 Mass. Ave. NW;Washington;DC;20392;USA
email;internet:gsh@usno.navy.mil
title:Astronomer
tel;work:(202) 762-1523
tel;fax:(202) 762-1514
url:http://ad.usno.navy.mil/~gsh
version:2.1
end:vcard


--------------000208010909090209070809
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--------------000208010909090209070809--