On Friday 02 November 2007 04:30:33 pm Greg Hennessy wrote:
> 136065 /var/run/utmp
>
> What would be the proper syntax to get auditctl to
> ignore the open attempts to /var/run/utmp?
The audit system would not normally record access to that file unless it was
told to. Do you see a rule that is w
I need to configure auditing for certification reasons, but I'd like to
cut down on wasted disk space by ignoring known "chatter". On a newly installed
Redhat 5 workstation there seems to be an open of /var/run/utmp every 10
seconds,
which fills the log files. I'd like to ignore these, but my fir
On Friday 02 November 2007 01:51:54 pm Bill Tangren wrote:
>
> Nov 2 10:27:25 charon kernel: audit(1194013645.793:6808): auid=500
> removed an audit rule
>
> What does this mean?
It means that the user logged in under acct 500 either deleted an audit rule
by hand or ran a script that did. On shu
When I restart my auditd daemon, I get a number of messages in
/var/log/messages that look like this:
Nov 2 10:27:25 charon kernel: audit(1194013645.793:6808): auid=500
removed an audit rule
What does this mean? Does it mean that some of my rules in
/etc/audit.rules are improper, and the serve
On Friday 02 November 2007 12:21:26 pm Bill Tangren wrote:
> Event Report
> ===
> # date time event type auid
> ===
> 1. 11/01/2007 12:00:00 AM 5844794 SYSCALL -1
The event report is to give you an idea about the distribution of events
occurring on
I am running audit-1.0.15-3.EL4 on a RHEL ES 4 system, fully patched. I am
trying to learn the meaning of the output of aureport. For example, if I
want to look at failed events, could you tell me what the following means?
That is, how do I know from this what is failing, and why?
[EMAIL PROTEC
I am running audit-1.0.15-3.EL4 on a RHEL ES 4 system, fully patched. I am
trying to learn the meaning of the output of aureport. For example, if I
want to look at failed events, could you tell me what the following means?
That is, how do I know from this what is failing, and why?
[EMAIL PROTECT