Re: RHEL-AS-4.4 and auditd-1.0.14

Hi Steve, I've installed the latest audit package and it seems to be exactly the same. Overnight: size-32 208310 208369 32 119 1 : tunables 120 60 8 : slabdata 1751 1751 0 [sysadmin@blah ~]$ rpm -q audit audit-1.0.15-1.fc4 I've cut down the rules to a single watch on the /etc directory (I realise that this only watches the directory and not the files in it). No rules AUDIT_WATCH_LIST: dev=9:1, path=/etc, filterkey=ETC, perms=w, valid=0 Every access to /etc seems to add to the size-32 objects and never releases them. Any other suggestions? Simon. On 13/02/2007, at 1:33 PM, Steve Grubb wrote: > On Monday 12 February 2007 17:54, Simon Jones wrote: >> I loaded just the rules and left it overnight and it still looks >> fine. >> >> size-32 3688 3808 32 119 1 : tunables 120 >> 60 8 : slabdata 32 32 0 > > Hmm...that would seem to point to the audit daemon. I posted the > code for the > 1.0.15 audit package here: > > http://people.redhat.com/sgrubb/audit/audit-1.0.15-1.fc4.src.rpm > > Maybe you want to build that and give it a try? I'd be curious if > you see a > leak in that version. It does have some cleanups, but nothing I > recall as > fixing a memory leak. > > -Steve