From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve <m6x@ornl.gov>
Subject: Problem loading rules
Date: Fri, 07 Jul 2006 09:07:31 -0400
Message-ID: <44AE5C93.8030509@ornl.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k67D7eu3000611
	for <linux-audit@redhat.com>; Fri, 7 Jul 2006 09:07:40 -0400
Received: from emroute1.ornl.gov (emroute1.ornl.gov [160.91.4.119])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k67D7XEE010077
	for <linux-audit@redhat.com>; Fri, 7 Jul 2006 09:07:33 -0400
Received: from emroute1.ornl.gov (localhost [127.0.0.1])
	by emroute1.ornl.gov (PMDF V6.2-1x9 #31038)
	with ESMTP id <0J2100I97B4KP8@emroute1.ornl.gov> for
	linux-audit@redhat.com; Fri, 07 Jul 2006 09:07:33 -0400 (EDT)
Received: from ORNLEXCHANGE.ornl.gov (ornlexchange1.ornl.gov [160.91.1.20])
	by emroute1.ornl.gov (PMDF V6.2-1x9 #31038)
	with ESMTP id <0J2100EI5B4KON@emroute1.ornl.gov> for
	linux-audit@redhat.com; Fri, 07 Jul 2006 09:07:32 -0400 (EDT)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

I am trying to load rules from a file that contains:

-a exit,always -F path=/etc/shadow -S open -k myrule_000000
-a exit,always -F path=/usr/sbin/chroot -S execve -k myrule_000001
-a exit,always -F path=/var/repository/important.doc -S unlink -k 
myrule_000002
-a exit,always -F path=/var/log/secure -S open -k myrule_000003
-a exit,always -F path=/usr/bin/nmap -S execve -k myrule_000004

using auditctl -R

I am getting the following error:
Cannot realloc memory!

-F path must be before -S
There was an error in line 2 of iitds_audit.rules

--

I originally had the -S options before the -F.  When I got the error, I 
switched the order, but the same error is returned.

I have tried entering the rules individually from the command line and 
they work without error.

I am using audit-1.2.4

Thanks,
Steve