On Mon, 2018-07-16 at 14:27 -0400, Steve Grubb wrote: > Hello, > > I have been testing a new set of audit rules and have run across > some > processes that are doing things that might out to be changed. > Typically, > audit users expect a normally functioning system to not be noisy. > There is a > requirement to audit failed file access due to permission denied. > What I'm > finding is that two processes are generating tens of thousands of > events > every day. > > There is a /usr/libexec/tracker-extract process that searches my > directories > about every 11 seconds. I can imagine on a laptop that would be a lot > of disk > activity. Sometimes I use root in my home directory and accidentally > create > files owned by root. This leads to a lots of events on my system. > Does it > really need to run with this frequency? https://bugzilla.redhat.com/show_bug.cgi?id=1271872 https://bugzilla.redhat.com/show_bug.cgi?id=747689 (closed as fixed !?! ) yet today someone also complains about tracker > But I also see one that I just don't understand. Every 12 seconds, > /usr/lib/ > systemd/systemd calls openat with write flags to open > > /sys/fs/cgroup/cpu/cgroup.procs > /sys/fs/cgroup/cpuacct/cgroup.procs > /sys/fs/cgroup/blkio/cgroup.procs > /sys/fs/cgroup/memory/user.slice/user-4325.slice/user@4325.service/ > cgroup.procs > /sys/fs/cgroup/memory/user.slice/user-4325.slice/cgroup.procs > /sys/fs/cgroup/memory/user.slice/cgroup.procs > /sys/fs/cgroup/memory/cgroup.procs > /sys/fs/cgroup/devices/user.slice/cgroup.procs > /sys/fs/cgroup/devices/cgroup.procs > /sys/fs/cgroup/pids/user.slice/user-4325.slice/user@4325.service/cgro > up.procs > /sys/fs/cgroup/pids/user.slice/user-4325.slice/cgroup.procs > /sys/fs/cgroup/pids/user.slice/cgroup.procs > /sys/fs/cgroup/pids/cgroup.procs > > Which are all root owned files. This adds up to about 45,000 events a > day. Is > there a purpose to opening those files? And if that was truly needed, > should > it be logging failures? Are the permissions wrong? If the failures > are > benign, why is it doing it at all? > > Thanks, > -Steve > > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelin > es > List Archives: https://lists.fedoraproject.org/archives/list/devel@li > sts.fedoraproject.org/message/2HMJ4SX3UP22ASPI34YK6JOKEM2X5NYN/ -- Sérgio M. B. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/7I3FZI2GBROJ6CGTIIGOTRTR5U6RHBC7/
