I am trying to load rules from a file that contains:
-a exit,always -F path=/etc/shadow -S open -k myrule_000000
-a exit,always -F path=/usr/sbin/chroot -S execve -k myrule_000001
-a exit,always -F path=/var/repository/important.doc -S unlink -k
myrule_000002
-a exit,always -F path=/var/log/secure -S open -k myrule_000003
-a exit,always -F path=/usr/bin/nmap -S execve -k myrule_000004
using auditctl -R
I am getting the following error:
Cannot realloc memory!
-F path must be before -S
There was an error in line 2 of iitds_audit.rules
--
I originally had the -S options before the -F. When I got the error, I
switched the order, but the same error is returned.
I have tried entering the rules individually from the command line and
they work without error.
I am using audit-1.2.4
Thanks,
Steve