Re: the meaning of this audit entry
On Tuesday 20 November 2007 10:36:47 am Bill Tangren wrote:
type=SYSCALL msg=audit(11/20/2007 10:24:00.060:2971371) : arch=i386
syscall=read success=no exit=-11(Resource temporarily unavailable) a0=12
a1=97721e8 a2=1000 a3=9782c18 items=0 pid=3538 auid=bjt uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=X
exe=/usr/X11R6/bin/Xorg
Yeah, see this is a wee bit more readable. I think you have a rule for reads
with success != yes. The only thing you might want to worry about is failed
access attempts. They have success=no, but their exit code is different.
Now, this system is plugged into a KVM switch, and sometimes the
sysadmin
who logs into the GUI stays logged in for days (he forgots to log out),
I'd think some auto logout rules would solve that. ;)
I don't know if any of this has anything to do with why I'm
getting 500MB
worth of logs every day,
That is excessive. I think it shows you need to refactor your rules.
-Steve