Re: No audit records on FC5-t3 when arch is specified
On Wed, Mar 01, 2006 at 04:18:23PM -0600, Loulwa Salem wrote:
Hi,
I just fresh installed a FC5-t3 (2.6.15-1.1955_FC5) on a ppc64 system
and noticed the following behavior with auditctl:
Inserting an audit rule in following manner works (ie. there is
record for rule addition, and it generates a record when the syscall
is executed)
auditctl -a action,list -S syscall
However, the following does not work (ie. there is a record that a
rule was added in log, but no record is generated when syscall is
executed)
auditctl -a action,list -F arch=b32 -S syscall or
auditctl -a action,list -F arch=b64 -S syscall
The version of auditctl on the system is audit-1.1.4-5.1
Michael tried this on an i386 FC5-t3 and he sees the same problem.
But on an i386 with latest lspp.10 kernel everything works fine.
Has anyone experienced this problem?
I just experienced the same problem when specifying a rule with the
'inode' field. I suspect this is because the support for the new
operators was added to auditctl in audit-1.1.1 and does not exist in
the FC5-t3 kernel. If you downgrade your audit packages to the
1.0 stream, do you still see the problem?
Amy