Problem with start of auditd on 2.6.13-2smp machine

Steve Grubb sgrubb at redhat.com
Tue Jan 10 18:28:59 UTC 2006 

On Tuesday 10 January 2006 12:44, Lisa Giacchetti wrote:
> I have a redhat enterprise linux 4 update 1 based system running
> 2.6.13-2smp kernel with audit-1.0.3-6.EL4 and audit-libs-1.0.3-6.EL4
> installed.

That kernel does not sound like a RHEL4 kernel. The RHEL4 kernel carries all 
the patches that the kernel needs for the audit system to work.

> The problem is that when I start auditd I get this error:
>
> [root at cmsstor02 etc]# /etc/init.d/auditd start
> Starting auditd:                                           [  OK  ]
> Error receiving watch list (Invalid argument)
> There was an error in line 5 of /etc/audit.rules

Non-RHEL4 kernels do not have the right patch for file system auditing. When 
it was sent upstream, there was some consolidation with inotify suggested 
before acceptance. That work is still in progress. So...no kernel except the 
RHEL4 kernel really has the file system auditing at this point.

> auditd actually starts but I am concerned that the -D
> option (which is what is on line 5 of /etc/audit.rules)
> is not being recognized or honored.

If you do not need file system auditing, then you can safely ignore this. If 
you do need it, you need to change kernels.

> I see that newer versions of the audit rpm may have fixed this

That one is older.

> "* Thu May 26 2005 Steve Grubb <sgrubb at redhat.com> 0.9-1
>    - Translate numeric info to human readable for ausearch output
>    - add '-if' option to ausearch to select input file
>    - add '-c' option to ausearch to allow searching by comm field
>    - init script now deletes all rules when daemon stops
>    - Make auditctl display perms correctly in watch listings
> ***  - Make auditctl -D remove all watches"
>
> but I do not have the glibc-kernheaders needed. Mine
> are glibc-kernheaders-2.4-9.1.87 and audit-1.0.1201 needs
> glibc-kernheaders>=2.4-9.1.95.

We ship all the right pieces so that RHEL4 stuff is coordinated with itself 
and FC4 is coordinated with itself. 1.0.12 will be released with U3 update, 
but it will not solve the problem you are reporting.

-Steve

More information about the Linux-audit mailing list