On Oct 26, 2015, at 11:55 AM, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: On Friday, October 23, 2015 07:16:40 PM Kangkook Jee wrote: > Hi, all > > From my Raspberry Pi machine (running Debian Wheezy distribution), I could > see the kernel is built with audit enabled, and I could manage to install > user-space audit client with the following command. > > pi@raspberrypi ~ $ sudo apt-get install auditd > > However, when I tried to enable audit issuing the following commands it > doesn’t seem to run properly. > > pi@raspberrypi ~ $ sudo auditctl -l > No rules > pi@raspberrypi ~ $ sudo auditctl -a entry,always -S open > Error detecting machine type > pi@raspberrypi ~ $ sudo auditctl -a entry,always -F arch=armeb -S open > arch=armeb machine type not found > > Can anyone tell me whether audit support ARM based linux systems? Yes. It was added starting in 2.0.4 and was corrected several times. > Here’s my system information and thanks a lot for your help in advance! > > pi@raspberrypi ~ $ sudo uname -a > Linux raspberrypi 3.18.11-v7+ #781 SMP PREEMPT Tue Apr 21 18:07:59 BST 2015 > armv7l GNU/Linux > > pi@raspberrypi ~ $ dpkg -l |grep audit > ii auditd 1:1.7.18-1.1 > armhf User space tools for security auditing ii libaudit0 > 1:1.7.18-1.1 armhf That one is too old. You need a newer audit package. -Steve

Dear Steve, I built auditctl from recent audit source and tried it again but I failed with the following errors. pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400 AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320 lost=0 backlog=0 (reverse-i-search)`b': sudo auditctl -e1 -^C102400 pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F arch=armeb -S clone arch elf mapping not found pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone Error detecting machine type Would you help me with this?

On Oct 26, 2015, at 4:57 PM, Kangkook Jee <aixer77(a)gmail.com&gt; wrote: I added “—with-armeb” should it be just “—with-arm” ? This following shows my configuration status. pi@raspberrypi ~/audit-2.4.4 $ grep arm config.status ac_cs_config="'--with-armeb'" set X /bin/bash './configure' '--with-armeb' $ac_configure_extra_args --no-create --no-recursion host='armv7l-unknown-linux-gnueabihf' build='armv7l-unknown-linux-gnueabihf' sys_lib_search_path_spec='/usr/lib/gcc/arm-linux-gnueabihf/4.9 /usr/lib/arm-linux-gnueabihf /usr/lib /lib/arm-linux-gnueabihf /lib ' sys_lib_dlsearch_path_spec='/lib64 /usr/lib64 /lib /usr/lib /opt/vc/lib /lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf /usr/lib/arm-linux-gnueabihf/libfakeroot /usr/local/lib ' S["target_cpu"]="armv7l" S["target"]="armv7l-unknown-linux-gnueabihf" S["host_cpu"]="armv7l" S["host"]="armv7l-unknown-linux-gnueabihf" S["build_cpu"]="armv7l" S["build"]="armv7l-unknown-linux-gnueabihf” > On Oct 26, 2015, at 4:37 PM, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > > On Monday, October 26, 2015 04:25:57 PM Kangkook Jee wrote: >> Dear Steve, >> >> I built auditctl from recent audit source and tried it again but I failed >> with the following errors. >> >> pi@raspberrypi ~/audit-2.4.4 $ sudo auditctl -e1 -b 102400 >> AUDIT_STATUS: enabled=1 flag=1 pid=2022 rate_limit=0 backlog_limit=320 >> lost=0 backlog=0 (reverse-i-search)`b': sudo auditctl -e1 -^C102400 >> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -F >> arch=armeb -S clone arch elf mapping not found >> pi@raspberrypi ~/audit-2.4.4 $ sudo src/auditctl -a exit,always -S clone >> Error detecting machine type >> >> Would you help me with this? > > Did you add --with-arm to the ./configure line? Its disabled by default. > > -Steve