Scott, On 17 jan 2008, at 02:36, Scott Everard wrote:
> My audit logs are filling up with MEMCTNL entries even though I > removed everything from the audit_control and audit_user files. The > audit_event file has MEMCTNL as ot. This has been removed from the > audit_control file and it still gets logged. Any thoughts? > what did you do after you removed ot from audit_control? Unless you rebooted all running processes retain the preselection mask they have, so if one process has ot in its flags, it will keep logging MEMCNTL events. You can look at the records in the audit trail, and pick out the process id of processes which generate MEMCNTL, and then use "auditconfig -getpinfo <pid>" to see what flags it is using. cheers, /Martin -- Martin Englund, Security Engineer, .Sun Engineering, Sun Microsystems Inc. Email: martin.englund at sun.com Time Zone: GMT-3 PGP: 1024D/AA514677 "The question is not if you are paranoid, it is if you are paranoid enough."
