> On Wednesday 11 October 2006 07:49, Boyce, Kevin P. (Melbourne, FL) wrote: > > I can install the deb files and the audit daemon runs, but it has trouble > > parsing the audit.rules file. The error I am getting is "Error sending > > insert watch request (Invalid Argument)."
> This is not a parsing error...its worse. The audit 1.0.x series was developed > to compliment the RHEL4 kernel. At the time, it was envisioned that the > technique used for watches would be accepted upstream. It was rejected due to > some overlap with inotify, so the watch system was re-written. The audit > 1.2.x series has the code for the new system. Watches were not accepted > upstream until the 2.6.18 kernel. > > I have a requirement to use these two kernel versions, and unfortunately > > can't use redhat, fedora, or their kernel binaries. > They you are limited to inode based auditing. Or maybe if you put the things > you have to watch onto one partition, you can use devmajor and minor. I'd try > to move to a 2.6.18 kernel with the latest audit package. > -Steve Steve, If I'm reading this correctly, you're telling me that the 1.0.14 auditd that ships with RHEL4u3 is immature, at best. Does this mean that I will never get support for the dispatcher directive in /etc/auditd.conf? I was hoping to use the development Snare scripts that Leigh put together, mainly for a unified, centralization of our audit trails, but it doesn't work if the dispatcher support option is missing. I understand that file watching will not be an auditable event and that I'll have to filter out a lot of false positives. I just want to get centralized auditing working without have to script a bunch of it myself. Thanks! Charlie Todd Ball Aerospace & Technologies Corp. ctodd- at -ball -com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
