On Tuesday 20 November 2007 10:36:47 am Bill Tangren wrote: > type=SYSCALL msg=audit(11/20/2007 10:24:00.060:2971371) : arch=i386 > syscall=read success=no exit=-11(Resource temporarily unavailable) a0=12 > a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538 auid=bjt uid=root gid=root > euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=X > exe=/usr/X11R6/bin/Xorg
Yeah, see this is a wee bit more readable. I think you have a rule for reads with success != yes. The only thing you might want to worry about is failed access attempts. They have success=no, but their exit code is different. > Now, this system is plugged into a KVM switch, and sometimes the sysadmin > who logs into the GUI stays logged in for days (he forgots to log out), I'd think some auto logout rules would solve that. ;) > I don't know if any of this has anything to do with why I'm getting 500MB > worth of logs every day, That is excessive. I think it shows you need to refactor your rules. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
