audit-1.1.3 and SuSE 10.0 (with FC4 kernel)
Robert Giles
rgiles at arlut.utexas.edu
Wed Jan 25 23:10:04 UTC 2006
Hi folks - I'm trying to get the audit tools running on SuSE 10.0...
From the list traffic, it seems that only RHEL4 and FC4 kernels have the
latest patches applied to support the latest auditd, so I retrieved
and built kernel-2.6.14-1.1656_FC4.src.rpm for my system, but I'm still
getting the same "Invalid argument" when I try to do 'auditctl -w file':
(same error message I get with the stock SuSE 10.0 kernel and the SuSE
10.0 pre-packaged audit-1.0.3-2 tools/libraries)
---
linux:/home/rgiles # auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=6342 rate_limit=0 backlog_limit=64 lost=0 backlog=0
linux:/home/rgiles # auditctl -w /etc/shadow
Error sending watch insert request (Invalid argument)
---
On startup, I see this from the kernel:
---
audit: initializing netlink socket (disabled)
audit(1138207304.552:1): initialized
---
/var/log/audit/audit.log reads:
---
type=DAEMON_START msg=audit(1138229931.984:4606) auditd start, ver=1.1.3, format=raw, auid=4294967295 res=success, auditd pid=6370
type=CONFIG_CHANGE msg=audit(1138229931.985:5): audit_enabled=1 old=1 by auid=4294967295
---
Any pointers would be greatly appreciated (and I apologize for bothering
y'all with usability questions on what appears to be a kernel devel
list... comp.os.linux.suse is full of LAuS questions, but nothing
pertaining to the built-in kernel auditing that y'all are working on).
-----------------------------------------------------------
Robert Giles Group System Administrator
SPD/ARL:UT (512) 835-3077 · Fax (512) 490-4244
More information about the Linux-audit
mailing list