audit-1.1.3 and SuSE 10.0 (with FC4 kernel)

Hi folks - I'm trying to get the audit tools running on SuSE 10.0... From the list traffic, it seems that only RHEL4 and FC4 kernels have the latest patches applied to support the latest auditd, so I retrieved and built kernel-2.6.14-1.1656_FC4.src.rpm for my system, but I'm still getting the same "Invalid argument" when I try to do 'auditctl -w file': (same error message I get with the stock SuSE 10.0 kernel and the SuSE 10.0 pre-packaged audit-1.0.3-2 tools/libraries) --- linux:/home/rgiles # auditctl -s AUDIT_STATUS: enabled=1 flag=1 pid=6342 rate_limit=0 backlog_limit=64 lost=0 backlog=0 linux:/home/rgiles # auditctl -w /etc/shadow Error sending watch insert request (Invalid argument) --- On startup, I see this from the kernel: --- audit: initializing netlink socket (disabled) audit(1138207304.552:1): initialized --- /var/log/audit/audit.log reads: --- type=DAEMON_START msg=audit(1138229931.984:4606) auditd start, ver=1.1.3, format=raw, auid=4294967295 res=success, auditd pid=6370 type=CONFIG_CHANGE msg=audit(1138229931.985:5): audit_enabled=1 old=1 by auid=4294967295 --- Any pointers would be greatly appreciated (and I apologize for bothering y'all with usability questions on what appears to be a kernel devel list... comp.os.linux.suse is full of LAuS questions, but nothing pertaining to the built-in kernel auditing that y'all are working on). ----------------------------------------------------------- Robert Giles Group System Administrator SPD/ARL:UT (512) 835-3077 � Fax (512) 490-4244