No audit records on FC5-t3 when arch is specified
Amy Griffis
amy.griffis at hp.com
Wed Mar 1 23:30:55 UTC 2006
On Wed, Mar 01, 2006 at 04:18:23PM -0600, Loulwa Salem wrote:
> Hi,
> I just fresh installed a FC5-t3 (2.6.15-1.1955_FC5) on a ppc64 system
> and noticed the following behavior with auditctl:
>
> Inserting an audit rule in following manner works (ie. there is
> record for rule addition, and it generates a record when the syscall
> is executed)
> auditctl -a action,list -S syscall
>
> However, the following does not work (ie. there is a record that a
> rule was added in log, but no record is generated when syscall is
> executed)
> auditctl -a action,list -F arch=b32 -S syscall or
> auditctl -a action,list -F arch=b64 -S syscall
>
> The version of auditctl on the system is audit-1.1.4-5.1
>
> Michael tried this on an i386 FC5-t3 and he sees the same problem.
> But on an i386 with latest lspp.10 kernel everything works fine.
>
> Has anyone experienced this problem?
I just experienced the same problem when specifying a rule with the
'inode' field. I suspect this is because the support for the new
operators was added to auditctl in audit-1.1.1 and does not exist in
the FC5-t3 kernel. If you downgrade your audit packages to the
1.0 stream, do you still see the problem?
Amy
More information about the Linux-audit
mailing list