[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-audit
Subject: Re: stopping "chatter"
From: Steve Grubb <sgrubb () redhat ! com>
Date: 2007-11-02 20:52:08
Message-ID: 200711021652.09236.sgrubb () redhat ! com
[Download RAW message or body]
On Friday 02 November 2007 04:30:33 pm Greg Hennessy wrote:
> 136065 /var/run/utmp
>
> What would be the proper syntax to get auditctl to
> ignore the open attempts to /var/run/utmp?
The audit system would not normally record access to that file unless it was
told to. Do you see a rule that is watching that file? If so, comment it out
or modify the rule so that it only watches for more unusual accesses like
accessing it when there's a permission denied something like:
auditctl -a exit,always -F exit=-13 -F perm=wra -F path=/var/run/utmp
-Steve
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic