Re: auditd/auditctl SLED10
Lane Williams wrote:
Yeah, I had tried that. There is an access syscall. From the looks
of
things the audit version that comes with SuSE has a few problems. I
know in Red Hat it seems to work as I need it to. SuSE is also using
Apparmor in place of SELinux, or at least they make it appear that way.
The audit deamon also does not support file system watches.
File system watches aren't supported in the upstream kernel until
2.6.18.
Seems the only success=no returns that I receive are when the file
does
not exist. I may also have to add more to my filter in order to get
what I want. Unfortunately I am stuck with SuSE and will have to
continue troubleshooting until the patches come out.
If you're using a 2.6.16 kernel and 1.1.3 audit tools, that seems like
a mismatch. There was a 1.1.4 audit package released back in February
and the release mail mentions apparmor support.
https://www.redhat.com/archives/linux-audit/2006-February/msg00036.html
You could try:
http://people.redhat.com/sgrubb/audit/audit-1.1.4-1.src.rpm
Good luck,
-- ljk
Thanks,
Lane