Hello, I have been testing a new set of audit rules and have run across some processes that are doing things that might out to be changed. Typically, audit users expect a normally functioning system to not be noisy. There is a requirement to audit failed file access due to permission denied. What I'm finding is that two processes are generating tens of thousands of events every day.
There is a /usr/libexec/tracker-extract process that searches my directories about every 11 seconds. I can imagine on a laptop that would be a lot of disk activity. Sometimes I use root in my home directory and accidentally create files owned by root. This leads to a lots of events on my system. Does it really need to run with this frequency? But I also see one that I just don't understand. Every 12 seconds, /usr/lib/ systemd/systemd calls openat with write flags to open /sys/fs/cgroup/cpu/cgroup.procs /sys/fs/cgroup/cpuacct/cgroup.procs /sys/fs/cgroup/blkio/cgroup.procs /sys/fs/cgroup/memory/user.slice/user-4325.slice/user@4325.service/ cgroup.procs /sys/fs/cgroup/memory/user.slice/user-4325.slice/cgroup.procs /sys/fs/cgroup/memory/user.slice/cgroup.procs /sys/fs/cgroup/memory/cgroup.procs /sys/fs/cgroup/devices/user.slice/cgroup.procs /sys/fs/cgroup/devices/cgroup.procs /sys/fs/cgroup/pids/user.slice/user-4325.slice/user@4325.service/cgroup.procs /sys/fs/cgroup/pids/user.slice/user-4325.slice/cgroup.procs /sys/fs/cgroup/pids/user.slice/cgroup.procs /sys/fs/cgroup/pids/cgroup.procs Which are all root owned files. This adds up to about 45,000 events a day. Is there a purpose to opening those files? And if that was truly needed, should it be logging failures? Are the permissions wrong? If the failures are benign, why is it doing it at all? Thanks, -Steve _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/2HMJ4SX3UP22ASPI34YK6JOKEM2X5NYN/
