I have RHEL 4 install (update 5).
aureport seems to be working, so as the /var/log/audit/audit.log
however auditd does not take any of my watch rules
[root@master ~]# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Error sending watch insert request (Invalid argument)
There was an error in line 26 of /etc/audit.rules
When do auditctl -l,
[root@master ~]# auditctl -l
No rules
File system watches not supported
Can anyone point me to a solution?
audit version 1.0.15
kernel 2.6.22.5
here is my audit.rules
## Remove any existing rules
-D
## Increase buffer size to handle the increased number of messages.
## Feel free to increase this if the machine panic's
-b 1024
## Set failure mode to panic
-f 2
-w /boot -p wa