No audit records on FC5-t3 when arch is specified
Loulwa Salem
loulwas at us.ibm.com
Wed Mar 1 22:18:23 UTC 2006
Hi,
I just fresh installed a FC5-t3 (2.6.15-1.1955_FC5) on a ppc64 system
and noticed the following behavior with auditctl:
Inserting an audit rule in following manner works (ie. there is record
for rule addition, and it generates a record when the syscall is executed)
auditctl -a action,list -S syscall
However, the following does not work (ie. there is a record that a rule
was added in log, but no record is generated when syscall is executed)
auditctl -a action,list -F arch=b32 -S syscall or
auditctl -a action,list -F arch=b64 -S syscall
The version of auditctl on the system is audit-1.1.4-5.1
Michael tried this on an i386 FC5-t3 and he sees the same problem. But
on an i386 with latest lspp.10 kernel everything works fine.
Has anyone experienced this problem?
- Loulwa
More information about the Linux-audit
mailing list