All of lore.kernel.org
 help / color / mirror / Atom feed
From: Simon Jones <sjones@tusc.com.au>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: RHEL-AS-4.4 and auditd-1.0.14
Date: Wed, 14 Feb 2007 10:07:54 +1100	[thread overview]
Message-ID: <DC9F5098-956F-4AFE-859B-4A6294BB31F8@tusc.com.au> (raw)
In-Reply-To: <200702122133.53780.sgrubb@redhat.com>

Hi Steve,

I've installed the latest audit package and it seems to be exactly  
the same.  Overnight:

size-32           208310 208369     32  119    1 : tunables  120    
60    8 : slabdata   1751   1751      0

[sysadmin@blah ~]$ rpm -q audit
audit-1.0.15-1.fc4

I've cut down the rules to a single watch on the /etc directory (I  
realise that this only watches the directory and not the files in it).

No rules
AUDIT_WATCH_LIST: dev=9:1, path=/etc, filterkey=ETC, perms=w, valid=0

Every access to /etc seems to add to the size-32 objects and never  
releases them.

Any other suggestions?

Simon.

On 13/02/2007, at 1:33 PM, Steve Grubb wrote:

> On Monday 12 February 2007 17:54, Simon Jones wrote:
>> I loaded just the rules and left it overnight and it still looks  
>> fine.
>>
>> size-32             3688   3808     32  119    1 : tunables  120
>> 60    8 : slabdata     32     32      0
>
> Hmm...that would seem to point to the audit daemon. I posted the  
> code for the
> 1.0.15 audit package here:
>
> http://people.redhat.com/sgrubb/audit/audit-1.0.15-1.fc4.src.rpm
>
> Maybe you want to build that and give it a try? I'd be curious if  
> you see a
> leak in that version. It does have some cleanups, but nothing I  
> recall as
> fixing a memory leak.
>
> -Steve

  reply	other threads:[~2007-02-13 23:07 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-02-09  4:12 RHEL-AS-4.4 and auditd-1.0.14 Simon Jones
2007-02-10 14:27 ` Steve Grubb
2007-02-12 22:54   ` Simon Jones
2007-02-13  2:33     ` Steve Grubb
2007-02-13 23:07       ` Simon Jones [this message]
2007-02-13 23:20         ` Simon Jones
2007-02-14 17:42           ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DC9F5098-956F-4AFE-859B-4A6294BB31F8@tusc.com.au \
    --to=sjones@tusc.com.au \
    --cc=linux-audit@redhat.com \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.