On Friday 02 November 2007 04:30:33 pm Greg Hennessy wrote: > 136065 /var/run/utmp > > What would be the proper syntax to get auditctl to > ignore the open attempts to /var/run/utmp?
The audit system would not normally record access to that file unless it was told to. Do you see a rule that is watching that file? If so, comment it out or modify the rule so that it only watches for more unusual accesses like accessing it when there's a permission denied something like: auditctl -a exit,always -F exit=-13 -F perm=wra -F path=/var/run/utmp -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
