"File system watches not supported" with auditctl 1.0.12 / kernel 2.6.32

"File system watches not supported" with auditctl 1.0.12 / kernel 2.6.32

[Aaron Lewis]

Hi,

I'm running "Red Hat Enterprise Linux AS release 4 (Nahant Update 3)"
With a customized kernel version 2.6.32.
And auditctl version 1.0.12

When I run auditctl -l, I got the following error:
# auditctl -l
No rules
File system watches not supported

What options could be missing in my kernel config? I've enabled
everything related to "AUDIT"

# zgrep AUDIT /proc/config.gz
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_TREE=y


-- 
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E

Re: "File system watches not supported" with auditctl 1.0.12 / kernel 2.6.32

[Steve Grubb]

On Thursday, November 21, 2013 10:20:28 AM Aaron Lewis wrote:
> Hi,
> 
> I'm running "Red Hat Enterprise Linux AS release 4 (Nahant Update 3)"
> With a customized kernel version 2.6.32.
> And auditctl version 1.0.12

The two don't mix. RHEL4's filesystem watch technique was rejected by the 
upstream kernel community, so its unique. The 2.6.16 and higher kernels use 
the current technique. The audit 1.0.x series is designed for the old 
technique, while audit 1.1 and higher use the new technique. You also cannot 
upgrade from audit-1.0.x without rebuilding a fair amount of user space.

IOW, what you are doing was really never meant to work. You have 2 choices, 
push forward with rebuilding user space with new audit package or go back to 
old kernel if you need auditing. If you choose to use a new audit package, 
also be aware that generally audit stays in sync with the kernel. So, if you 
use a very new audit package and very old kernel, you might have other 
features that don't work properly.

-Steve


> When I run auditctl -l, I got the following error:
> # auditctl -l
> No rules
> File system watches not supported
> 
> What options could be missing in my kernel config? I've enabled
> everything related to "AUDIT"
> 
> # zgrep AUDIT /proc/config.gz
> CONFIG_AUDIT_ARCH=y
> CONFIG_AUDIT=y
> CONFIG_AUDITSYSCALL=y
> CONFIG_AUDIT_TREE=y

Re: "File system watches not supported" with auditctl 1.0.12 / kernel 2.6.32

[Eric Paris]

On Thu, 2013-11-21 at 10:20 +0800, Aaron Lewis wrote:
> Hi,
> 
> I'm running "Red Hat Enterprise Linux AS release 4 (Nahant Update 3)"
> With a customized kernel version 2.6.32.
> And auditctl version 1.0.12
> 
> When I run auditctl -l, I got the following error:
> # auditctl -l
> No rules
> File system watches not supported
> 
> What options could be missing in my kernel config? I've enabled
> everything related to "AUDIT"
> 
> # zgrep AUDIT /proc/config.gz
> CONFIG_AUDIT_ARCH=y
> CONFIG_AUDIT=y
> CONFIG_AUDITSYSCALL=y
> CONFIG_AUDIT_TREE=y

in 2.6.32?  probably inotify...