I am running lspp.17 kernel with audit-1.2.1 on an x86_64 system.
I noticed this behavior (has anyone encountered anything similar)
After a reboot, the first auditctl command that I try will not work, After that
it works fine.
Example:
# auditctl -l
Error sending rule list request (Operation not permitted)
# auditctl -l
No rules
-- Reboot --
# auditctl -a entry,always -S chmod
Error sending add rule request (Operation not permitted)
# auditctl -a entry,always -S chmod
# auditctl -l
LIST_RULES: entry,always syscall=chmod
The problem is reproducible .. and it happens no matter what auditctl command
you try at first (listing, adding watches, or adding rules .. etc)
- Loulwa