Environment
Novell Open Enterprise Server 2015 (OES 2015) Linux Support Pack 1
Situation
Customer noticed that /tmp/ was filling up with tmp files. The files were not being deleted as expected...
Resolution
Enable auditd to determine what application is writing to /tmp/
Who is writing files to /tmp/
Example how to enable auditd, and how to search the audit system…
Beware, the log file will grow fast.. So only run for short periods of time then stop with “auditctl –D”
example uses touch to create a file named tmp666666.
Create Rule:
auditctl -w /tmp/ -p w -k tmpfiles -e 1
Watch: -w /tmp/
Permissions: -p w
Key: -k tmpfiles
Enable: -e 1
Disable: -e 0
List Rules:
auditctl -l
LIST_RULES: exit,always dir=/tmp (0x4) perm=w key=tmpfiles
Search:
ausearch -k tmpfiles
Example, Created, tmp666666, with touch:
----
time->Tue Mar 21 14:07:44 2017
type=CONFIG_CHANGE msg=audit(1490126864.281:51): auid=0 ses=1 op="add rule" key="tmpfiles" list=4 res=1
----
time->Tue Mar 21 14:09:42 2017
type=PATH msg=audit(1490126982.298:52): item=1 name="tmp666666" inode=2027752 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1490126982.298:52): item=0 name="/tmp" inode=2027649 dev=08:02 mode=041777 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1490126982.298:52): cwd="/tmp"
type=SYSCALL msg=audit(1490126982.298:52): arch=c000003e syscall=2 success=yes exit=3 a0=7ffe66f0261e a1=941 a2=1b6 a3=7ffe66f00c10 items=2 ppid=8748 pid=10315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=7 comm="touch" exe="/bin/touch" key="tmpfiles"
/var/log/audit # ausearch -f tmp666666
----
time->Tue Mar 21 14:09:42 2017
type=PATH msg=audit(1490126982.298:52): item=1 name="tmp666666" inode=2027752 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1490126982.298:52): item=0 name="/tmp" inode=2027649 dev=08:02 mode=041777 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1490126982.298:52): cwd="/tmp"
type=SYSCALL msg=audit(1490126982.298:52): arch=c000003e syscall=2 success=yes exit=3 a0=7ffe66f0261e a1=941 a2=1b6 a3=7ffe66f00c10 items=2 ppid=8748 pid=10315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=7 comm="touch" exe="/bin/touch" key="tmpfiles"
Stop/Clear Rules
auditctl -D
Log File is located at:
/var/log/audit/audit.log
Who is writing files to /tmp/
Example how to enable auditd, and how to search the audit system…
Beware, the log file will grow fast.. So only run for short periods of time then stop with “auditctl –D”
example uses touch to create a file named tmp666666.
Create Rule:
auditctl -w /tmp/ -p w -k tmpfiles -e 1
Watch: -w /tmp/
Permissions: -p w
Key: -k tmpfiles
Enable: -e 1
Disable: -e 0
List Rules:
auditctl -l
LIST_RULES: exit,always dir=/tmp (0x4) perm=w key=tmpfiles
Search:
ausearch -k tmpfiles
Example, Created, tmp666666, with touch:
----
time->Tue Mar 21 14:07:44 2017
type=CONFIG_CHANGE msg=audit(1490126864.281:51): auid=0 ses=1 op="add rule" key="tmpfiles" list=4 res=1
----
time->Tue Mar 21 14:09:42 2017
type=PATH msg=audit(1490126982.298:52): item=1 name="tmp666666" inode=2027752 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1490126982.298:52): item=0 name="/tmp" inode=2027649 dev=08:02 mode=041777 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1490126982.298:52): cwd="/tmp"
type=SYSCALL msg=audit(1490126982.298:52): arch=c000003e syscall=2 success=yes exit=3 a0=7ffe66f0261e a1=941 a2=1b6 a3=7ffe66f00c10 items=2 ppid=8748 pid=10315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=7 comm="touch" exe="/bin/touch" key="tmpfiles"
/var/log/audit # ausearch -f tmp666666
----
time->Tue Mar 21 14:09:42 2017
type=PATH msg=audit(1490126982.298:52): item=1 name="tmp666666" inode=2027752 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1490126982.298:52): item=0 name="/tmp" inode=2027649 dev=08:02 mode=041777 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1490126982.298:52): cwd="/tmp"
type=SYSCALL msg=audit(1490126982.298:52): arch=c000003e syscall=2 success=yes exit=3 a0=7ffe66f0261e a1=941 a2=1b6 a3=7ffe66f00c10 items=2 ppid=8748 pid=10315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=7 comm="touch" exe="/bin/touch" key="tmpfiles"
Stop/Clear Rules
auditctl -D
Log File is located at:
/var/log/audit/audit.log
Cause
root crontab had two entries for the following:
* * * * * /usr/bin/python /opt/novell/xad/sbin/sites_dnsupdate.py 1>/dev/null 2>>/var/opt/novell/xad/log/sitesandsubnets.log
* * * * * /usr/bin/python /opt/novell/xad/sbin/sites_dnsupdate.py 1>/dev/null 2>>/var/opt/novell/xad/log/sitesandsubnets.log
Removed second entry and /tmp/ no longer got filled up with tmp files...