Snare for Solaris filling up /tmp directory

Holcrofts
2009-06-03
2012-10-09
  • Holcrofts
    Holcrofts
    2009-06-03

    I have installed Snare for Solaris 3.2.1 and today the box crashed with the following messages:

    June 3 01:50:01 styux9279 tmpfs: [ID 518458 kern.warning] WARNING: /tmp: File system full, swap space limit exceeded

    June 3 02:06:24 styux9279 genunix: [ID 470503 kern.warning] WARNING: Sorry, no swap space to grow stack for pid 21427 (dbstatus)

    Is there anyway of stopping snare logging to the tmp directory? Or log to /dev/null? I could not find anything in the configuration guide.

    Thanks

     
    • nick hindley
      nick hindley
      2009-06-03

      its some extraneous code in snarecore.c at line 2909

      execlp("/usr/bin/bash","bash","-c","/usr/sbin/praudit -l -d\" \"|tee /tmp/SNARE-events.txt", (char *)0);

      You can change this to
      execlp("/usr/sbin/praudit", "praudit", "-l", "-d ", (char *)0);

      or alternatively download the latest 3.2.3 code from sourceforge

       
    • Holcrofts
      Holcrofts
      2009-06-03

      Thanks, so 3.2.3 will resolve this issue?

       
      • David Mohr
        David Mohr
        2009-06-03

        Hi,

        As Nick pointed out, 3.2.3 has solved this issue and the agent will only write to /tmp in DEBUG mode.

        Regards, David.

         
    • nick hindley
      nick hindley
      2009-06-03

      should do