stopping "chatter"
Steve Grubb
sgrubb at redhat.com
Fri Nov 2 20:52:08 UTC 2007
On Friday 02 November 2007 04:30:33 pm Greg Hennessy wrote:
> 136065 /var/run/utmp
>
> What would be the proper syntax to get auditctl to
> ignore the open attempts to /var/run/utmp?
The audit system would not normally record access to that file unless it was
told to. Do you see a rule that is watching that file? If so, comment it out
or modify the rule so that it only watches for more unusual accesses like
accessing it when there's a permission denied something like:
auditctl -a exit,always -F exit=-13 -F perm=wra -F path=/var/run/utmp
-Steve
More information about the Linux-audit
mailing list