RHEL-AS-4.4 and auditd-1.0.14
Simon Jones
sjones at tusc.com.au
Tue Feb 13 23:20:04 UTC 2007
Hi Steve,
I changed the rule from the /etc watch to individual files in the /
etc directory and that seems to have settled it down.
It seems to be a problem with watching directories only.
Simon.
On 14/02/2007, at 10:07 AM, Simon Jones wrote:
> Hi Steve,
>
> I've installed the latest audit package and it seems to be exactly
> the same. Overnight:
>
> size-32 208310 208369 32 119 1 : tunables 120
> 60 8 : slabdata 1751 1751 0
>
> [sysadmin at blah ~]$ rpm -q audit
> audit-1.0.15-1.fc4
>
> I've cut down the rules to a single watch on the /etc directory (I
> realise that this only watches the directory and not the files in it).
>
> No rules
> AUDIT_WATCH_LIST: dev=9:1, path=/etc, filterkey=ETC, perms=w, valid=0
>
> Every access to /etc seems to add to the size-32 objects and never
> releases them.
>
> Any other suggestions?
>
> Simon.
>
> On 13/02/2007, at 1:33 PM, Steve Grubb wrote:
>
>> On Monday 12 February 2007 17:54, Simon Jones wrote:
>>> I loaded just the rules and left it overnight and it still looks
>>> fine.
>>>
>>> size-32 3688 3808 32 119 1 : tunables 120
>>> 60 8 : slabdata 32 32 0
>>
>> Hmm...that would seem to point to the audit daemon. I posted the
>> code for the
>> 1.0.15 audit package here:
>>
>> http://people.redhat.com/sgrubb/audit/audit-1.0.15-1.fc4.src.rpm
>>
>> Maybe you want to build that and give it a try? I'd be curious if
>> you see a
>> leak in that version. It does have some cleanups, but nothing I
>> recall as
>> fixing a memory leak.
>>
>> -Steve
>
More information about the Linux-audit
mailing list