From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Linux-audit Digest, Vol 27, Issue 2
Date: Mon, 11 Dec 2006 13:20:26 -0500
Message-ID: <200612111320.27071.sgrubb@redhat.com>
References: <FC11D747323EB24493CDC753367EEB920170662B@aplesnation.dom1.jhuapl.edu>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <FC11D747323EB24493CDC753367EEB920170662B@aplesnation.dom1.jhuapl.edu>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "Thomas, Daniel J." <Daniel.Thomas@jhuapl.edu>, "Wieprecht,  Karen M." <Karen.Wieprecht@jhuapl.edu>
List-Id: linux-audit@redhat.com

On Monday 11 December 2006 12:15, Thomas, Daniel J. wrote:
> I'm new to the audit subsystem. =A0I need to get it working well under
> RHEL4. =A0The version that comes with Redhat is very old (1.0.14?)

That is the latest for RHEL4. There is a 1.0.15 in the pipeline that back=
ports=20
many features from 1.2.9.

> I noticed if I upgrade to 1.0.14 it pretty much works the same, but if =
I
> upgrade all the way to 1.3.1, file watch functionality has been removed=
.

There are differences in the RHEL4 kernel and the current 2.6.19 kernel=20
regarding audit that causes them to be incompatible in several ways.

> How do I handle auditing of access to security files with 1.3?

1.3.1 is commandline compatible with 1.0.14. However, you need to be usin=
g a=20
2.6.19 kernel for it.

-Steve