Audit not taking rules

Audit not taking rules

[Bo]

[-- Attachment #1.1: Type: text/plain, Size: 834 bytes --]

I have RHEL 4 install (update 5).
aureport seems to be working, so as the /var/log/audit/audit.log
however auditd does not take any of my watch rules
[root@master ~]# service auditd restart
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]
Error sending watch insert request (Invalid argument)
There was an error in line 26 of /etc/audit.rules

When do auditctl -l,
[root@master ~]# auditctl -l
No rules
File system watches not supported

Can anyone point me to a solution?
audit version 1.0.15
kernel 2.6.22.5

here is my audit.rules
## Remove any existing rules
-D

## Increase buffer size to handle the increased number of messages.
## Feel free to increase this if the machine panic's
-b 1024

## Set failure mode to panic
-f 2

-w /boot -p wa

[-- Attachment #1.2: Type: text/html, Size: 1413 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audit not taking rules

[Steve Grubb]

On Wednesday 02 July 2008 18:44:49 Bo wrote:
> I have RHEL 4 install (update 5).
>
> [root@master ~]# service auditd restart
> Stopping auditd:                                           [  OK  ]
> Starting auditd:                                           [  OK  ]
> Error sending watch insert request (Invalid argument)
> There was an error in line 26 of /etc/audit.rules

What is in line 26 of the rules?


> Can anyone point me to a solution?
> audit version 1.0.15
> kernel 2.6.22.5

This is not a RHEL4 kernel. You need to use RHEL4's kernel with the RHEL4 user 
space audit tools. This is undoubtedly the problem. The audit system evolved 
over time and some things were deprecated and some things were added. The 
user space tools hide this as long as you use the right ones.

-Steve