[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Audit-1.0.14



On Wednesday 11 October 2006 07:49, Boyce, Kevin P. (Melbourne, FL) wrote:
> I can install the deb files and the audit daemon runs, but it has trouble
> parsing the audit.rules file.  The error I am getting is "Error sending
> insert watch request (Invalid Argument)."

This is not a parsing error...its worse. The audit 1.0.x series was developed 
to compliment the RHEL4 kernel. At the time, it was envisioned that the 
technique used for watches would be accepted upstream. It was rejected due to 
some overlap with inotify, so the watch system was re-written. The audit 
1.2.x series has the code for the new system. Watches were not accepted 
upstream until the 2.6.18 kernel.

> I have a requirement to use these two kernel versions, and unfortunately
> can't use redhat, fedora, or their kernel binaries.

They you are limited to inode based auditing. Or maybe if you put the things 
you have to watch onto one partition, you can use devmajor and minor. I'd try 
to move to a 2.6.18 kernel with the latest audit package.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]