I have installed Snare for Solaris 3.2.1 and today the box crashed with the following messages:
June 3 01:50:01 styux9279 tmpfs: [ID 518458 kern.warning] WARNING: /tmp: File system full, swap space limit exceeded
June 3 02:06:24 styux9279 genunix: [ID 470503 kern.warning] WARNING: Sorry, no swap space to grow stack for pid 21427 (dbstatus)
Is there anyway of stopping snare logging to the tmp directory? Or log to /dev/null? I could not find anything in the configuration guide.
its some extraneous code in snarecore.c at line 2909
execlp("/usr/bin/bash","bash","-c","/usr/sbin/praudit -l -d\" \"|tee /tmp/SNARE-events.txt", (char *)0);
You can change this to
execlp("/usr/sbin/praudit", "praudit", "-l", "-d ", (char *)0);
or alternatively download the latest 3.2.3 code from sourceforge
Thanks, so 3.2.3 will resolve this issue?
As Nick pointed out, 3.2.3 has solved this issue and the agent will only write to /tmp in DEBUG mode.