Filesystem filling up ...

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Jun 29 15:39:29 UTC 2007


On Wed, 27 Jun 2007 19:42:39 +0200, Aaron Lippold said:
> # Audit Failed opens
> -a exit,always -S open -F success!=0

Note that a *lot* of programs will attempt to open optional config files,
and happily go on their merry way when they get an -ENOENT leaving an audit
entry for you to drown in.  I just tested the venerable 'xfontsel', and at
one point, it generated *12* -ENOENT in a row looking for a bitmap for
a cursor before finding one it liked.  The next 3 cursors only needed
9, 10, and 8 failed attempts before it found one.

> # Audit success and failure of delete
> -a exit,always -S unlink -S rmdir

That's going to be really painful on any system that does software development,
as your average compile generates a lot of temporary files that get unlinked.
You may want to investigate whether it's feasible to ignore unlinks in /tmp.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070629/290781ff/attachment.sig>


More information about the Linux-audit mailing list