Re: "File system watches not supported" with auditctl 1.0.12 / kernel 2.6.32

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: "File system watches not supported" with auditctl 1.0.12 / kernel 2.6.32
Date: Thu, 21 Nov 2013 13:14:54 -0500	[thread overview]
Message-ID: <1450314.3jTtDjrgmd@x2> (raw)
In-Reply-To: <CAJZVxRnm63Bv0KS3dTPRB2y9WPXi-SKcjSdACczP=ecRZYYBiQ@mail.gmail.com>

On Thursday, November 21, 2013 10:20:28 AM Aaron Lewis wrote:
> Hi,
> 
> I'm running "Red Hat Enterprise Linux AS release 4 (Nahant Update 3)"
> With a customized kernel version 2.6.32.
> And auditctl version 1.0.12

The two don't mix. RHEL4's filesystem watch technique was rejected by the 
upstream kernel community, so its unique. The 2.6.16 and higher kernels use 
the current technique. The audit 1.0.x series is designed for the old 
technique, while audit 1.1 and higher use the new technique. You also cannot 
upgrade from audit-1.0.x without rebuilding a fair amount of user space.

IOW, what you are doing was really never meant to work. You have 2 choices, 
push forward with rebuilding user space with new audit package or go back to 
old kernel if you need auditing. If you choose to use a new audit package, 
also be aware that generally audit stays in sync with the kernel. So, if you 
use a very new audit package and very old kernel, you might have other 
features that don't work properly.

-Steve

> When I run auditctl -l, I got the following error:
> # auditctl -l
> No rules
> File system watches not supported
> 
> What options could be missing in my kernel config? I've enabled
> everything related to "AUDIT"
> 
> # zgrep AUDIT /proc/config.gz
> CONFIG_AUDIT_ARCH=y
> CONFIG_AUDIT=y
> CONFIG_AUDITSYSCALL=y
> CONFIG_AUDIT_TREE=y

next prev parent reply	other threads:[~2013-11-21 18:14 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-11-21  2:20 "File system watches not supported" with auditctl 1.0.12 / kernel 2.6.32 Aaron Lewis
2013-11-21 18:14 ` Steve Grubb [this message]
2013-11-26 18:34 ` Eric Paris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1450314.3jTtDjrgmd@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox