From: Simon Jones <sjones@tusc.com.au>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: RHEL-AS-4.4 and auditd-1.0.14
Date: Wed, 14 Feb 2007 10:07:54 +1100 [thread overview]
Message-ID: <DC9F5098-956F-4AFE-859B-4A6294BB31F8@tusc.com.au> (raw)
In-Reply-To: <200702122133.53780.sgrubb@redhat.com>
Hi Steve,
I've installed the latest audit package and it seems to be exactly
the same. Overnight:
size-32 208310 208369 32 119 1 : tunables 120
60 8 : slabdata 1751 1751 0
[sysadmin@blah ~]$ rpm -q audit
audit-1.0.15-1.fc4
I've cut down the rules to a single watch on the /etc directory (I
realise that this only watches the directory and not the files in it).
No rules
AUDIT_WATCH_LIST: dev=9:1, path=/etc, filterkey=ETC, perms=w, valid=0
Every access to /etc seems to add to the size-32 objects and never
releases them.
Any other suggestions?
Simon.
On 13/02/2007, at 1:33 PM, Steve Grubb wrote:
> On Monday 12 February 2007 17:54, Simon Jones wrote:
>> I loaded just the rules and left it overnight and it still looks
>> fine.
>>
>> size-32 3688 3808 32 119 1 : tunables 120
>> 60 8 : slabdata 32 32 0
>
> Hmm...that would seem to point to the audit daemon. I posted the
> code for the
> 1.0.15 audit package here:
>
> http://people.redhat.com/sgrubb/audit/audit-1.0.15-1.fc4.src.rpm
>
> Maybe you want to build that and give it a try? I'd be curious if
> you see a
> leak in that version. It does have some cleanups, but nothing I
> recall as
> fixing a memory leak.
>
> -Steve
next prev parent reply other threads:[~2007-02-13 23:07 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-09 4:12 RHEL-AS-4.4 and auditd-1.0.14 Simon Jones
2007-02-10 14:27 ` Steve Grubb
2007-02-12 22:54 ` Simon Jones
2007-02-13 2:33 ` Steve Grubb
2007-02-13 23:07 ` Simon Jones [this message]
2007-02-13 23:20 ` Simon Jones
2007-02-14 17:42 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DC9F5098-956F-4AFE-859B-4A6294BB31F8@tusc.com.au \
--to=sjones@tusc.com.au \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.