From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audit-1.0.14 Date: Wed, 11 Oct 2006 08:24:37 -0400 Message-ID: <200610110824.38005.sgrubb@redhat.com> References: <04485C8018722949A3DF79E193BB44DB07A50599@xcgfl107.northgrum.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <04485C8018722949A3DF79E193BB44DB07A50599@xcgfl107.northgrum.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "Boyce, Kevin P. (Melbourne, FL)" List-Id: linux-audit@redhat.com On Wednesday 11 October 2006 07:49, Boyce, Kevin P. (Melbourne, FL) wrote= : > I can install the deb files and the audit daemon runs, but it has troub= le > parsing the audit.rules file. =C2=A0The error I am getting is "Error se= nding > insert watch request (Invalid Argument)." This is not a parsing error...its worse. The audit 1.0.x series was devel= oped=20 to compliment the RHEL4 kernel. At the time, it was envisioned that the=20 technique used for watches would be accepted upstream. It was rejected du= e to=20 some overlap with inotify, so the watch system was re-written. The audit=20 1.2.x series has the code for the new system. Watches were not accepted=20 upstream until the 2.6.18 kernel. > I have a requirement to use these two kernel versions, and unfortunatel= y > can't use redhat, fedora, or their kernel binaries. They you are limited to inode based auditing. Or maybe if you put the thi= ngs=20 you have to watch onto one partition, you can use devmajor and minor. I'd= try=20 to move to a 2.6.18 kernel with the latest audit package. -Steve