On Mon, 2018-07-16 at 14:27 -0400, Steve Grubb wrote: > Hello, > > I have been testing a new set of audit rules and have run across some > processes that are doing things that might out to be changed. Typically, > audit users expect a normally functioning system to not be noisy. There is a > requirement to audit failed file access due to permission denied. What I'm > finding is that two processes are generating tens of thousands of events > every day. > > There is a /usr/libexec/tracker-extract process that searches my directories > about every 11 seconds. I can imagine on a laptop that would be a lot of disk > activity. Sometimes I use root in my home directory and accidentally create > files owned by root. This leads to a lots of events on my system. Does it > really need to run with this frequency? It backs the live searches you can do via the GNOME overview, so for those to be actually accurate (and I'd assume people often want to find recently-touched content), yeah, it kinda has to run a lot. Probably best asked on the desktop@ list, anyway. > But I also see one that I just don't understand. Every 12 seconds, /usr/lib/ > systemd/systemd calls openat with write flags to open > > /sys/fs/cgroup/cpu/cgroup.procs > /sys/fs/cgroup/cpuacct/cgroup.procs > /sys/fs/cgroup/blkio/cgroup.procs > /sys/fs/cgroup/memory/user.slice/user-4325.slice/user@4325.service/ > cgroup.procs > /sys/fs/cgroup/memory/user.slice/user-4325.slice/cgroup.procs > /sys/fs/cgroup/memory/user.slice/cgroup.procs > /sys/fs/cgroup/memory/cgroup.procs > /sys/fs/cgroup/devices/user.slice/cgroup.procs > /sys/fs/cgroup/devices/cgroup.procs > /sys/fs/cgroup/pids/user.slice/user-4325.slice/user@4325.service/cgroup.procs > /sys/fs/cgroup/pids/user.slice/user-4325.slice/cgroup.procs > /sys/fs/cgroup/pids/user.slice/cgroup.procs > /sys/fs/cgroup/pids/cgroup.procs > > Which are all root owned files. This adds up to about 45,000 events a day. Is > there a purpose to opening those files? And if that was truly needed, should > it be logging failures? Are the permissions wrong? If the failures are > benign, why is it doing it at all? No idea about this one. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/4HATHQMNF3S63TPY7S7FFQCRBHYCEQI6/