Bug 189687

Summary: watches don't work
Product: [Fedora] Fedora Reporter: Tammy Fox <tammy.c.fox>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 5   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: 1.2.7-2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-09-19 14:55:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tammy Fox 2006-04-23 02:19:21 UTC 
Description of problem:
When trying to set a watch on a directory or file as shown in sample.rules, I
receive the following error message:

Error sending watch insert request (Invalid argument)

This error message occurs when trying to configure the watch in /etc/audit.rules
with the line:

-w /var/log/audit/audit.log -k AUDIT_LOG

It also occurs when using the auditctl command to add the watch.

Version-Release number of selected component (if applicable):

# rpm -q audit
audit-1.1.5-1

How reproducible:

Always

Steps to Reproduce:
1.Modify /etc/audit.rules to include watch
2.Start or restart auditd
3.See error message
  
Actual results:
Error message

Expected results:
Successful addition of watch and audit messages about changes to files in directory

Additional info:
Comment 1 Steve Grubb 2006-04-23 11:47:20 UTC 
File system watch support depends on the kernel you are running. For fedora, we
are hoping to have it all upstream in the 2.6.18 kernel. The people doing
netlink communication changed the protocol in 2.6.16 and audit 1.1.5 doesn't
understand the reply and prints the message you are getting. It used to say
watches not supported. 

The plan we are working is to try to get watches stabilized for inclusion in the
next kernel and then update fedora so that it all works when the right kernel
finally gets loaded. Do you want me to patch 1.1.5 so that it says "watches not
supported"?
Comment 2 Tammy Fox 2006-04-23 18:00:31 UTC 
Thanks for letting me know why it doesn't work. If it is going to be a while
before watches work again, it would save others time if it says "watches not
supported at this time" or maybe something like "watches unavailable, waiting
for kernel support" so users know it is something that will be fixed in the future.
Comment 3 Steve Grubb 2006-09-14 20:47:26 UTC 
The 2.6.18rc7 kernel has all the features for file watches.
Comment 4 Steve Grubb 2006-09-19 14:55:57 UTC 
audit 1.2.7 was built for FC5 & FC6. It provides the user space side of the
audit system from the 2.6.18 kernel. Please upgrade both packages when they are
released. Thanks for reporting the problem.