the meaning of this audit entry
Steve Grubb
sgrubb at redhat.com
Wed Nov 21 02:22:19 UTC 2007
On Tuesday 20 November 2007 10:36:47 am Bill Tangren wrote:
> type=SYSCALL msg=audit(11/20/2007 10:24:00.060:2971371) : arch=i386
> syscall=read success=no exit=-11(Resource temporarily unavailable) a0=12
> a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538 auid=bjt uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=X
> exe=/usr/X11R6/bin/Xorg
Yeah, see this is a wee bit more readable. I think you have a rule for reads
with success != yes. The only thing you might want to worry about is failed
access attempts. They have success=no, but their exit code is different.
> Now, this system is plugged into a KVM switch, and sometimes the sysadmin
> who logs into the GUI stays logged in for days (he forgots to log out),
I'd think some auto logout rules would solve that. ;)
> I don't know if any of this has anything to do with why I'm getting 500MB
> worth of logs every day,
That is excessive. I think it shows you need to refactor your rules.
-Steve
More information about the Linux-audit
mailing list