On Thursday, November 21, 2013 10:20:28 AM Aaron Lewis wrote: > Hi, > > I'm running "Red Hat Enterprise Linux AS release 4 (Nahant Update 3)" > With a customized kernel version 2.6.32. > And auditctl version 1.0.12
The two don't mix. RHEL4's filesystem watch technique was rejected by the upstream kernel community, so its unique. The 2.6.16 and higher kernels use the current technique. The audit 1.0.x series is designed for the old technique, while audit 1.1 and higher use the new technique. You also cannot upgrade from audit-1.0.x without rebuilding a fair amount of user space. IOW, what you are doing was really never meant to work. You have 2 choices, push forward with rebuilding user space with new audit package or go back to old kernel if you need auditing. If you choose to use a new audit package, also be aware that generally audit stays in sync with the kernel. So, if you use a very new audit package and very old kernel, you might have other features that don't work properly. -Steve > When I run auditctl -l, I got the following error: > # auditctl -l > No rules > File system watches not supported > > What options could be missing in my kernel config? I've enabled > everything related to "AUDIT" > > # zgrep AUDIT /proc/config.gz > CONFIG_AUDIT_ARCH=y > CONFIG_AUDIT=y > CONFIG_AUDITSYSCALL=y > CONFIG_AUDIT_TREE=y -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit