I'm attempting to use the auditd
package (1.5.4) as supplied downstream in the Ubuntu distribution. I'm
encountering a problem (as a few others are as well, Ubuntu bug #140784) in
that we can't get auditctl to successfully handle any new rules. For me,
this version of auditd has not worked at all. I’m only newly
acquainted with auditd, so this has been my only experience.
For example, entering at the command
line (taken from the man page):
auditctl -a exit,always -S
open -F success!=0
results in the response
Error sending add rule
request (Invalid argument)
I tried adding other possible rules
via auditctl, and all attempts cause this response.
Apparently no one using Red Hat is
having this problem (i.e., no complaints on this list), which suggests that
perhaps the problem is a package dependency problem within Ubuntu, but that's
just a guess.
Can someone offer any help or
suggestions as to what may be causing this problem for Ubuntu users, and what
we might do to fix it? (I also tried updating to version 1.6.4, which
also failed the same way.)
Thanks for any light you can shed!
-- Bill Brennan