OES2015sp1 /tmp is filling up with tmp files with following format "tmpv8462t"

  • 7018802
  • 12-Apr-2017
  • 12-Apr-2017

Environment

Novell Open Enterprise Server 2015 (OES 2015) Linux Support Pack 1

Situation

Customer noticed that /tmp/ was filling up with tmp files.  The files were not being deleted as expected...

Resolution

Enable auditd to determine what application is writing to /tmp/
Who is writing files to /tmp/

Example how to enable auditd, and how to search the audit system…
Beware, the log file will grow fast.. So only run for short periods of time then stop with “auditctl –D”
example  uses touch to create a file named tmp666666. 

Create Rule:
    auditctl -w /tmp/ -p w -k tmpfiles -e 1

Watch:           -w /tmp/
Permissions:   -p w
Key:               -k tmpfiles
Enable:          -e 1
Disable:          -e 0
List Rules:
    auditctl -l
    LIST_RULES: exit,always dir=/tmp (0x4) perm=w key=tmpfiles
Search:
  ausearch -k tmpfiles

Example, Created, tmp666666, with touch:
----
time->Tue Mar 21 14:07:44 2017
type=CONFIG_CHANGE msg=audit(1490126864.281:51): auid=0 ses=1 op="add rule" key="tmpfiles" list=4 res=1
----
time->Tue Mar 21 14:09:42 2017
type=PATH msg=audit(1490126982.298:52): item=1 name="tmp666666" inode=2027752 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1490126982.298:52): item=0 name="/tmp" inode=2027649 dev=08:02 mode=041777 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1490126982.298:52):  cwd="/tmp"
type=SYSCALL msg=audit(1490126982.298:52): arch=c000003e syscall=2 success=yes exit=3 a0=7ffe66f0261e a1=941 a2=1b6 a3=7ffe66f00c10 items=2 ppid=8748 pid=10315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=7 comm="touch" exe="/bin/touch" key="tmpfiles"

/var/log/audit # ausearch -f tmp666666
----
time->Tue Mar 21 14:09:42 2017
type=PATH msg=audit(1490126982.298:52): item=1 name="tmp666666" inode=2027752 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1490126982.298:52): item=0 name="/tmp" inode=2027649 dev=08:02 mode=041777 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1490126982.298:52):  cwd="/tmp"
type=SYSCALL msg=audit(1490126982.298:52): arch=c000003e syscall=2 success=yes exit=3 a0=7ffe66f0261e a1=941 a2=1b6 a3=7ffe66f00c10 items=2 ppid=8748 pid=10315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=7 comm="touch" exe="/bin/touch" key="tmpfiles"

Stop/Clear Rules
    auditctl -D

Log File is located at:
    /var/log/audit/audit.log

Cause

root crontab had two entries for the following:
* * * * * /usr/bin/python /opt/novell/xad/sbin/sites_dnsupdate.py 1>/dev/null 2>>/var/opt/novell/xad/log/sitesandsubnets.log

Removed second entry and /tmp/ no longer got filled up with tmp files...