Steve,
Once again...Thank you very much. I did not realize that audit.rules had been
placed in a new location. I moved audit.rules to /etc/audit, restarted auditd
and everything looks like it works fine.
Much thanks again!
Bob
Steve Grubb wrote:
On Friday 31 August 2007 13:35:22 Robert Evans wrote:
> Hmmm....tried auditctl -l and just got
>
> No rules
OK, that's a start.
> Since I have /etc/audit.rules in place, does that indicate the syscall
> auditing part of the kernel is compiled in.
Well, that file is for user space. But on RHEL5, that file's location has
changed. So maybe that is your problem? It should be:
/etc/audit/audit.rules
But, you can load the rules where they are by hand:
auditctl -R /etc/audit.rules
to make sure its working. See if that doesn't fix your problem.
-Steve
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
