From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: RHEL-AS-4.4 and auditd-1.0.14
Date: Wed, 14 Feb 2007 12:42:47 -0500
Message-ID: <200702141242.47142.sgrubb@redhat.com>
References: <8585B1BA-20C5-4733-B12E-A5B85ACE62F5@tusc.com.au>
	<DC9F5098-956F-4AFE-859B-4A6294BB31F8@tusc.com.au>
	<11541253-7ABC-440E-9E3A-229369D0F7D4@tusc.com.au>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <11541253-7ABC-440E-9E3A-229369D0F7D4@tusc.com.au>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Simon Jones <sjones@tusc.com.au>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday 13 February 2007 18:20:04 Simon Jones wrote:
> I changed the rule from the /etc watch to individual files in the /
> etc directory and that seems to have settled it down.
>
> It seems to be a problem with watching directories only.

Hmm. The daemon doesn't make decisions at all based on what's in the event. 
Offhand, I don't have any other suggestions other than a session with 
valgrind. There's very little memory allocating done by the audit daemon to 
make sure we do not have memory leaks.

-Steve