Audit-1.0.14
Steve Grubb
sgrubb at redhat.com
Wed Oct 11 12:24:37 UTC 2006
On Wednesday 11 October 2006 07:49, Boyce, Kevin P. (Melbourne, FL) wrote:
> I can install the deb files and the audit daemon runs, but it has trouble
> parsing the audit.rules file. The error I am getting is "Error sending
> insert watch request (Invalid Argument)."
This is not a parsing error...its worse. The audit 1.0.x series was developed
to compliment the RHEL4 kernel. At the time, it was envisioned that the
technique used for watches would be accepted upstream. It was rejected due to
some overlap with inotify, so the watch system was re-written. The audit
1.2.x series has the code for the new system. Watches were not accepted
upstream until the 2.6.18 kernel.
> I have a requirement to use these two kernel versions, and unfortunately
> can't use redhat, fedora, or their kernel binaries.
They you are limited to inode based auditing. Or maybe if you put the things
you have to watch onto one partition, you can use devmajor and minor. I'd try
to move to a 2.6.18 kernel with the latest audit package.
-Steve
More information about the Linux-audit
mailing list