RHEL-AS-4.4 and auditd-1.0.14

Simon Jones sjones at tusc.com.au
Tue Feb 13 23:07:54 UTC 2007


Hi Steve,

I've installed the latest audit package and it seems to be exactly  
the same.  Overnight:

size-32           208310 208369     32  119    1 : tunables  120    
60    8 : slabdata   1751   1751      0

[sysadmin at blah ~]$ rpm -q audit
audit-1.0.15-1.fc4

I've cut down the rules to a single watch on the /etc directory (I  
realise that this only watches the directory and not the files in it).

No rules
AUDIT_WATCH_LIST: dev=9:1, path=/etc, filterkey=ETC, perms=w, valid=0

Every access to /etc seems to add to the size-32 objects and never  
releases them.

Any other suggestions?

Simon.

On 13/02/2007, at 1:33 PM, Steve Grubb wrote:

> On Monday 12 February 2007 17:54, Simon Jones wrote:
>> I loaded just the rules and left it overnight and it still looks  
>> fine.
>>
>> size-32             3688   3808     32  119    1 : tunables  120
>> 60    8 : slabdata     32     32      0
>
> Hmm...that would seem to point to the audit daemon. I posted the  
> code for the
> 1.0.15 audit package here:
>
> http://people.redhat.com/sgrubb/audit/audit-1.0.15-1.fc4.src.rpm
>
> Maybe you want to build that and give it a try? I'd be curious if  
> you see a
> leak in that version. It does have some cleanups, but nothing I  
> recall as
> fixing a memory leak.
>
> -Steve




More information about the Linux-audit mailing list