File watches supported in Audit 1.1.5 on Fedora Core 5?

Jonathan Abbey jonabbey at arlut.utexas.edu
Tue Jun 20 00:52:56 UTC 2006


Hi, folks.  I'm working on getting Audit working on Fedora Core 5,
using the latest assembly of RPMS from Fedora:

  audit-libs-1.1.5-1
  audit-libs-devel-1.1.5-1
  audit-libs-python-1.1.5-1
  audit-1.1.5-1

and I'm having quite a few problems with it.  It appears that,
contrary to the man pages in the audit RPM, file watches are not
supported.

Likewise, many of the example rules in /usr/share/doc/audit-1.1.5/sample.rules,
such as

  # Auditing failed opens
  -a entry,always -S open -F success!=0

seem to be out of step with the actual rules supported by
/sbin/auditctl and/or the kernel.  (I get the sensible 'Field success
cannot be checked at syscall entry' message).

Now, I understand from the Audit System FAQ at

  http://people.redhat.com/sgrubb/audit/

that file watches in the kernel are being refactored to use inotify,
so I presume that explains why auditctl tells me that 'File system
watches not supported' when I run 'auditctl -L', and why it gives me a
vaguer complaint when I actually try to run 'auditctl -w'.

My questions are these:

Would the latest FC5 kernels support inotify-based file watches with a
more recent version of the Audit user tools?

Is there any up-to-date documentation that would serve me better than
that in the /usr/share/doc/audit-1.1.5 directory on FC5?  I don't see
any on Steve Grubb's Audit page.

Thanks,

 Jon

-- 
-------------------------------------------------------------------------------
Jonathan Abbey 				              jonabbey at arlut.utexas.edu
Applied Research Laboratories                 The University of Texas at Austin
GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060619/d95d7fdd/attachment.sig>


More information about the Linux-audit mailing list