From mboxrd@z Thu Jan  1 00:00:00 1970
From: Bo <beowulfnewbee@gmail.com>
Subject: Audit not taking rules
Date: Wed, 2 Jul 2008 16:44:49 -0600
Message-ID: <d96bd5b70807021544t44623c2lcffaa80d4a0d79b1@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1869579443=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m62Mj1gt022585
	for <linux-audit@redhat.com>; Wed, 2 Jul 2008 18:45:01 -0400
Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m62Minbi024301
	for <linux-audit@redhat.com>; Wed, 2 Jul 2008 18:44:50 -0400
Received: by yx-out-2324.google.com with SMTP id 3so180702yxj.81
	for <linux-audit@redhat.com>; Wed, 02 Jul 2008 15:44:49 -0700 (PDT)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

--===============1869579443==
Content-Type: multipart/alternative;
	boundary="----=_Part_6271_13163292.1215038689542"

------=_Part_6271_13163292.1215038689542
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

I have RHEL 4 install (update 5).
aureport seems to be working, so as the /var/log/audit/audit.log
however auditd does not take any of my watch rules
[root@master ~]# service auditd restart
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]
Error sending watch insert request (Invalid argument)
There was an error in line 26 of /etc/audit.rules

When do auditctl -l,
[root@master ~]# auditctl -l
No rules
File system watches not supported

Can anyone point me to a solution?
audit version 1.0.15
kernel 2.6.22.5

here is my audit.rules
## Remove any existing rules
-D

## Increase buffer size to handle the increased number of messages.
## Feel free to increase this if the machine panic's
-b 1024

## Set failure mode to panic
-f 2

-w /boot -p wa

------=_Part_6271_13163292.1215038689542
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

I have RHEL 4 install (update 5). <br>aureport seems to be working, so as the /var/log/audit/audit.log<br>however auditd does not take any of my watch rules<br>[root@master ~]# service auditd restart<br>Stopping auditd:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [&nbsp; OK&nbsp; ]<br>
Starting auditd:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [&nbsp; OK&nbsp; ]<br>Error sending watch insert request (Invalid argument)<br>There was an error in line 26 of /etc/audit.rules<br><br>When do auditctl -l, <br>[root@master ~]# auditctl -l<br>
No rules<br>File system watches not supported<br><br>Can anyone point me to a solution?<br>audit version 1.0.15<br>kernel <a href="http://2.6.22.5">2.6.22.5</a><br><br>here is my audit.rules<br>## Remove any existing rules<br>
-D<br><br>## Increase buffer size to handle the increased number of messages.<br>## Feel free to increase this if the machine panic&#39;s<br>-b 1024<br><br>## Set failure mode to panic<br>-f 2<br><br>-w /boot -p wa<br><br>
<br>

------=_Part_6271_13163292.1215038689542--


--===============1869579443==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1869579443==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit not taking rules
Date: Thu, 3 Jul 2008 07:49:07 -0400
Message-ID: <200807030749.07390.sgrubb@redhat.com>
References: <d96bd5b70807021544t44623c2lcffaa80d4a0d79b1@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <d96bd5b70807021544t44623c2lcffaa80d4a0d79b1@mail.gmail.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday 02 July 2008 18:44:49 Bo wrote:
> I have RHEL 4 install (update 5).
>
> [root@master ~]# service auditd restart
> Stopping auditd: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 [ =C2=A0OK =C2=A0]
> Starting auditd: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 [ =C2=A0OK =C2=A0]
> Error sending watch insert request (Invalid argument)
> There was an error in line 26 of /etc/audit.rules

What is in line 26 of the rules?


> Can anyone point me to a solution?
> audit version 1.0.15
> kernel 2.6.22.5

This is not a RHEL4 kernel. You need to use RHEL4's kernel with the RHEL4=
 user=20
space audit tools. This is undoubtedly the problem. The audit system evol=
ved=20
over time and some things were deprecated and some things were added. The=
=20
user space tools hide this as long as you use the right ones.

-Steve