tmpsys:/ files found on some network devices.

Unanswered Question

Does anyone know what these files/directories do and why they they should be on a 3750 switch??

Directory of tmpsys:/

6 drw- 0 <no date> eem_lib_syst

5 drw- 0 <no date> eem_lib_user

4 drw- 0 <no date> eem_policy

14 -rw- 0 <no date> eem_rpc_0

15 -rw- 0 <no date> eem_rpc_1

24 -rw- 0 <no date> eem_rpc_10

25 -rw- 0 <no date> eem_rpc_11

26 -rw- 0 <no date> eem_rpc_12

27 -rw- 0 <no date> eem_rpc_13

28 -rw- 0 <no date> eem_rpc_14

29 -rw- 0 <no date> eem_rpc_15

16 -rw- 0 <no date> eem_rpc_2

17 -rw- 0 <no date> eem_rpc_3

18 -rw- 0 <no date> eem_rpc_4

19 -rw- 0 <no date> eem_rpc_5

20 -rw- 0 <no date> eem_rpc_6

21 -rw- 0 <no date> eem_rpc_7

22 -rw- 0 <no date> eem_rpc_8

23 -rw- 0 <no date> eem_rpc_9

7 drw- 0 <no date> eem_temp

1 dr-x 0 <no date> lib


sand1#cd tmpsys:/lib


Directory of tmpsys:/lib/

2 drw- 0 <no date> tcl

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

It looks as if the tmpsys directory is really a storage space for Cisco's new Software License Activation.

The questions I have are related to the tcl and how the whole thing works. TCL is kind of a risky language to have around on network devices.

I originally saw some logs that said that a device was getting written to via snmp. Furthermore the source of the writes was the network management server IP address.

The network management server didn't show any configuration changes though. The only thing I found was these files. The only way to write to my devices, using snmp, is to come from the ip address of the network management server. Did Call Home do some analysis and probing around to find this out or did a hacker gain access to my 3750's? I couldn't tell from the info that I have been able to locate about Software License Activation.

mtimm Fri, 09/05/2008 - 10:07
User Badges:
  • Cisco Employee,

This is an embedded event manager specific file system that is used to store scripts and libraries. More info on EEM is here:

Note that there is no documentation on this file system because traversing the filesystem or viewing files in the filesystem is not required to use EEM.

cwildes Fri, 09/05/2008 - 10:31
User Badges:
  • Cisco Employee,

Bruce, tmpsys: is used by EEM as an alternative to system: for performance reasons. Some accesses to system: directories/files cause the running config to be generated if it has been modified and not saved. This happens because the size of the running-config file must be accurate and available for fstat directory accounting. EEM's use of tmpsys: insures consistent performance when EEM policies are triggered. Thanks, Clyde


This Discussion