I'm attempting to use the auditd package (1.5.4) as supplied downstream in the Ubuntu distribution.  I'm encountering a problem (as a few others are as well, Ubuntu bug #140784) in that we can't get auditctl to successfully handle any new rules.  For me, this version of auditd has not worked at all.  I’m only newly acquainted with auditd, so this has been my only experience.

 

For example, entering at the command line (taken from the man page):

 

  auditctl -a exit,always -S open -F success!=0

 

results in the response

 

  Error sending add rule request (Invalid argument)

 

I tried adding other possible rules via auditctl, and all attempts cause this response.

 

Apparently no one using Red Hat is having this problem (i.e., no complaints on this list), which suggests that perhaps the problem is a package dependency problem within Ubuntu, but that's just a guess.

 

Can someone offer any help or suggestions as to what may be causing this problem for Ubuntu users, and what we might do to fix it?  (I also tried updating to version 1.6.4, which also failed the same way.)

 

Thanks for any light you can shed!

 

-- Bill Brennan