Audit-1.0.14

[Todd, Charles]

> On Wednesday 11 October 2006 07:49, Boyce, Kevin P. (Melbourne, FL) wrote:
> > I can install the deb files and the audit daemon runs, but it has trouble
> > parsing the audit.rules file.  The error I am getting is "Error sending
> > insert watch request (Invalid Argument)."

> This is not a parsing error...its worse. The audit 1.0.x series was developed 
> to compliment the RHEL4 kernel. At the time, it was envisioned that the 
> technique used for watches would be accepted upstream. It was rejected due to 
> some overlap with inotify, so the watch system was re-written. The audit 
> 1.2.x series has the code for the new system. Watches were not accepted 
> upstream until the 2.6.18 kernel.

> > I have a requirement to use these two kernel versions, and unfortunately
> > can't use redhat, fedora, or their kernel binaries.

> They you are limited to inode based auditing. Or maybe if you put the things 
> you have to watch onto one partition, you can use devmajor and minor. I'd try 
> to move to a 2.6.18 kernel with the latest audit package.

> -Steve

Steve,
If I'm reading this correctly, you're telling me that the 1.0.14 auditd that ships with RHEL4u3 is immature, at best.  Does this mean that I will never get support for the dispatcher directive in /etc/auditd.conf?  I was hoping to use the development Snare scripts that Leigh put together, mainly for a unified, centralization of our audit trails, but it doesn't work if the dispatcher support option is missing.

I understand that file watching will not be an auditable event and that I'll have to filter out a lot of false positives.  I just want to get centralized auditing working without have to script a bunch of it myself.

Thanks!
Charlie Todd
Ball Aerospace & Technologies Corp.
ctodd- at -ball -com