stopping "chatter"
Greg Hennessy
greg.hennessy at navy.mil
Fri Nov 2 20:30:33 UTC 2007
I need to configure auditing for certification reasons, but I'd like to
cut down on wasted disk space by ignoring known "chatter". On a newly installed
Redhat 5 workstation there seems to be an open of /var/run/utmp every 10 seconds,
which fills the log files. I'd like to ignore these, but my first attempt doesn't
seem to work. I'm admittedly a novice at configuring auditd.
[root at foo ~]# aureport -f --summary | head -10
File Summary Report
===========================
total file
===========================
136065 /var/run/utmp
5283 /etc/symc-defutils.conf
795 /home/fsotest/.gconf/apps/puplet/
662 /usr/include/linux/
599 /dev/null
[root at foo ~]# auditctl -l | grep utmp
[root at foo ~]# auditctl -a exit,never -w /var/run/utmp
[root at foo ~]# auditctl -l | grep utmp
LIST_RULES: exit,always watch=/var/run/utmp perm=rwxa
[root at foo ~]#
What would be the proper syntax to get auditctl to
ignore the open attempts to /var/run/utmp?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: greg.hennessy.vcf
Type: text/x-vcard
Size: 278 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20071102/f6423723/attachment.vcf>
More information about the Linux-audit
mailing list