Why aren't SYSCALLS being logged in CentOS kernel (any ideas?)
Steve Grubb
sgrubb at redhat.com
Fri Aug 31 17:40:24 UTC 2007
On Friday 31 August 2007 13:35:22 Robert Evans wrote:
> Hmmm....tried auditctl -l and just got
>
> No rules
OK, that's a start.
> Since I have /etc/audit.rules in place, does that indicate the syscall
> auditing part of the kernel is compiled in.
Well, that file is for user space. But on RHEL5, that file's location has
changed. So maybe that is your problem? It should be:
/etc/audit/audit.rules
But, you can load the rules where they are by hand:
auditctl -R /etc/audit.rules
to make sure its working. See if that doesn't fix your problem.
-Steve
More information about the Linux-audit
mailing list