Audit-1.0.14
Todd, Charles
CTODD at ball.com
Thu Nov 9 19:56:02 UTC 2006
> On Wednesday 11 October 2006 07:49, Boyce, Kevin P. (Melbourne, FL) wrote:
> > I can install the deb files and the audit daemon runs, but it has trouble
> > parsing the audit.rules file. The error I am getting is "Error sending
> > insert watch request (Invalid Argument)."
> This is not a parsing error...its worse. The audit 1.0.x series was developed
> to compliment the RHEL4 kernel. At the time, it was envisioned that the
> technique used for watches would be accepted upstream. It was rejected due to
> some overlap with inotify, so the watch system was re-written. The audit
> 1.2.x series has the code for the new system. Watches were not accepted
> upstream until the 2.6.18 kernel.
> > I have a requirement to use these two kernel versions, and unfortunately
> > can't use redhat, fedora, or their kernel binaries.
> They you are limited to inode based auditing. Or maybe if you put the things
> you have to watch onto one partition, you can use devmajor and minor. I'd try
> to move to a 2.6.18 kernel with the latest audit package.
> -Steve
Steve,
If I'm reading this correctly, you're telling me that the 1.0.14 auditd that ships with RHEL4u3 is immature, at best. Does this mean that I will never get support for the dispatcher directive in /etc/auditd.conf? I was hoping to use the development Snare scripts that Leigh put together, mainly for a unified, centralization of our audit trails, but it doesn't work if the dispatcher support option is missing.
I understand that file watching will not be an auditable event and that I'll have to filter out a lot of false positives. I just want to get centralized auditing working without have to script a bunch of it myself.
Thanks!
Charlie Todd
Ball Aerospace & Technologies Corp.
ctodd- at -ball -com
More information about the Linux-audit
mailing list