[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-audit
Subject:    Re: stopping "chatter"
From:       Steve Grubb <sgrubb () redhat ! com>
Date:       2007-11-02 20:52:08
Message-ID: 200711021652.09236.sgrubb () redhat ! com
[Download RAW message or body]

On Friday 02 November 2007 04:30:33 pm Greg Hennessy wrote:
> 136065   /var/run/utmp
>
> What would be the proper syntax to get auditctl to
> ignore the open attempts to /var/run/utmp?

The audit system would not normally record access to that file unless it was 
told to. Do you see a rule that is watching that file? If so, comment it out 
or modify the rule so that it only watches for more unusual accesses like 
accessing it when there's a permission denied something like:

auditctl -a exit,always -F exit=-13 -F perm=wra -F path=/var/run/utmp

-Steve

[prev in list] [next in list] [prev in thread] [next in thread]