Re: auditd/auditctl SLED10

On Fri, Jul 21, 2006 at 10:31:22AM -0400, Linda Knippers wrote: > Lane Williams wrote: > > Yeah, I had tried that. There is an access syscall. From the looks of > > things the audit version that comes with SuSE has a few problems. I > > know in Red Hat it seems to work as I need it to. SuSE is also using > > Apparmor in place of SELinux, or at least they make it appear that way. > > The audit deamon also does not support file system watches. > > File system watches aren't supported in the upstream kernel until > 2.6.18. > > > Seems the only success=no returns that I receive are when the file does > > not exist. I may also have to add more to my filter in order to get > > what I want. Unfortunately I am stuck with SuSE and will have to > > continue troubleshooting until the patches come out. > > If you're using a 2.6.16 kernel and 1.1.3 audit tools, that seems like > a mismatch. There was a 1.1.4 audit package released back in February > and the release mail mentions apparmor support. > https://www.redhat.com/archives/linux-audit/2006-February/msg00036.html We have integrated AppArmor support in our 1.1.3 packages. (The stuff we sent upstream for 1.1.4). Ciao, Marcus