Hmmm....tried auditctl -l and just got
No rules
Not sure what that means. Since I have /etc/audit.rules in place, does that
indicate the syscall auditing part of the kernel is compiled in.
If it isn't what do I need to do to compile it in?
Bob
Steve Grubb wrote:
On Friday 31 August 2007 11:40:07 Robert Evans wrote:
> I'm using CentOS, kernel 2.6.18-8.el5. I've compiled audit-1.5.6-1
and I'm
> getting USER_AUTH events (logins, su, etc...) but I'm not seeing any
> syscall events.
>
> Any ideas?
Offhand, the rules look Ok. If you can list them back out "auditctl -l" that
means that the syscall auditing part of the kernel is compiled in and
partially working. Other than that, I have no idea - I don't use their
kernel.
-Steve
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
