On Thu, 2007-02-01 at 09:59 -0500, Stephen Smalley wrote:

Also, he mentioned RHEL 4 as his platform, so I would tend to think that
his kernel and auditctl wouldn't support this anyway.  So he may be
limited to using auditallow statements in policy, which is certainly
legitimate use of them (although I understand your goal of centralizing
audit configuration).

It is for RHEL 4, so the above won't work. How much of the functionality is in userspace, and how much requires extra kernel bits? In short, can I recompile the RHEL5 auditd for RHEL4 and expect to get additional functionality?

Matt

-- 
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490