From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter Zijlstra <a.p.zijlstra@chello.nl>
Subject: Re: [patch 058/209] audit: rework execve audit
Date: Sat, 28 Jul 2007 00:06:21 +0200
Message-ID: <1185573981.15205.57.camel@lappy>
References: <200707190848.l6J8mFQf023098@imap1.linux-foundation.org>
	<200707271613.10753.sgrubb@redhat.com>
	<1185569045.15205.49.camel@lappy>
	<200707271657.40399.sgrubb@redhat.com>
	<1185573344.15205.54.camel@lappy>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1185573344.15205.54.camel@lappy>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com, aaw@google.com
List-Id: linux-audit@redhat.com

On Fri, 2007-07-27 at 23:55 +0200, Peter Zijlstra wrote:
> On Fri, 2007-07-27 at 16:57 -0400, Steve Grubb wrote:
> 
> > I don't know of anything special its a fully updated rawhide machine. I am not 
> > running any tests, this is at the prompt in runlevel 3. I have audit=1 as a 
> > boot parameter in grub.conf and very simple audit rules for that machine:
> > 
> > -D
> > -b 256
> > -a exit,always -S sethostname
> > -w /etc/selinux/config
> > 
> > which is not exotic.
> 
> I'm feeling dumb,.. on fedora 7 userland I do:
> 
> [root@opteron ~]# auditctl -D
> No rules
> [root@opteron ~]# auditctl -b 256
> AUDIT_STATUS: enabled=0 flag=1 pid=0 rate_limit=0 backlog_limit=256 lost=0 backlog=0
> [root@opteron ~]# auditctl -a exit,always -S sethostname
> Error sending add rule request (Invalid argument)
> 
> man auditctl seems to suggest that is a valid command.

Ok, I am dumb, CONFIG_AUDITSYSCALL=n