Re: File watches supported in Audit 1.1.5 on Fedora Core 5?

[Steve Grubb <sgrubb@redhat.com>]

On Monday 19 June 2006 20:52, Jonathan Abbey wrote:
> It appears that, contrary to the man pages in the audit RPM, file watches
> are not supported.

The file system watches in 1.1.5 are the kind that the RHEL4 kernel is 
expecting. We had trouble merging the patches into the kernel.org kernel and 
had to spend a long time rewriting the subsystem.

> Likewise, many of the example rules in
> /usr/share/doc/audit-1.1.5/sample.rules, such as
>
>   # Auditing failed opens
>   -a entry,always -S open -F success!=0
>
> seem to be out of step with the actual rules supported by
> /sbin/auditctl and/or the kernel.  (I get the sensible 'Field success
> cannot be checked at syscall entry' message).

Right, so you just move the rule to the exit filter.

> Would the latest FC5 kernels support inotify-based file watches with a
> more recent version of the Audit user tools?

The file system watches are scheduled to land in the 2.6.18 kernel. We have a 
test kernel that you can test with in the mean time:

http://people.redhat.com/sgrubb/files/lspp/

> Is there any up-to-date documentation that would serve me better than
> that in the /usr/share/doc/audit-1.1.5 directory on FC5?  I don't see
> any on Steve Grubb's Audit page.

This mail list is a good place to ask. We have not done much in terms of 
tutorials or HOWTOs because half the audit system has been missing from 
common kernels. The 1.2.x series audit packages is reworked to fit the file 
system audit code that goes with the 2.6.18 kernel. I will push that into 
Fedora Core 5 when 2.6.18 starts into the rc phase. So, if you want to 
experiment, install a lspp kernel and build a 1.2.x audit package for fc5. 
You should be set.

-Steve