On Monday 06 August 2007 09:48:41 am Søren Olesen wrote: > [EMAIL PROTECTED] audit]# auditctl -v > auditctl version 1.3.1
There may have been a bug in that version. I remember a problem where it wasn't upgrading the rule from the old kind to the new kind correctly. (It tries to use the old rule style for communicating with the kernel for backward compatibility with old kernels - pre-2.6.16) There is slightly newer RHEL5 audit packages here: http://people.redhat.com/sgrubb/files/lspp/ But the RHEL5.1 package 1.5.5-5 should work fine: # auditctl -a exit,always -S open -F "auid>=500" # auditctl -l LIST_RULES: exit,always auid>=500 (0x1f4) syscall=open -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit