From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit not taking rules
Date: Thu, 3 Jul 2008 07:49:07 -0400
Message-ID: <200807030749.07390.sgrubb@redhat.com>
References: <d96bd5b70807021544t44623c2lcffaa80d4a0d79b1@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <d96bd5b70807021544t44623c2lcffaa80d4a0d79b1@mail.gmail.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday 02 July 2008 18:44:49 Bo wrote:
> I have RHEL 4 install (update 5).
>
> [root@master ~]# service auditd restart
> Stopping auditd: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 [ =C2=A0OK =C2=A0]
> Starting auditd: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 [ =C2=A0OK =C2=A0]
> Error sending watch insert request (Invalid argument)
> There was an error in line 26 of /etc/audit.rules

What is in line 26 of the rules?


> Can anyone point me to a solution?
> audit version 1.0.15
> kernel 2.6.22.5

This is not a RHEL4 kernel. You need to use RHEL4's kernel with the RHEL4=
 user=20
space audit tools. This is undoubtedly the problem. The audit system evol=
ved=20
over time and some things were deprecated and some things were added. The=
=20
user space tools hide this as long as you use the right ones.

-Steve