Description of problem:
When trying to set a watch on a directory or file as shown in sample.rules, I
receive the following error message:
Error sending watch insert request (Invalid argument)
This error message occurs when trying to configure the watch in /etc/audit.rules
with the line:
-w /var/log/audit/audit.log -k AUDIT_LOG
It also occurs when using the auditctl command to add the watch.
Version-Release number of selected component (if applicable):
# rpm -q audit
Steps to Reproduce:
1.Modify /etc/audit.rules to include watch
2.Start or restart auditd
3.See error message
Successful addition of watch and audit messages about changes to files in directory
File system watch support depends on the kernel you are running. For fedora, we
are hoping to have it all upstream in the 2.6.18 kernel. The people doing
netlink communication changed the protocol in 2.6.16 and audit 1.1.5 doesn't
understand the reply and prints the message you are getting. It used to say
watches not supported.
The plan we are working is to try to get watches stabilized for inclusion in the
next kernel and then update fedora so that it all works when the right kernel
finally gets loaded. Do you want me to patch 1.1.5 so that it says "watches not
Thanks for letting me know why it doesn't work. If it is going to be a while
before watches work again, it would save others time if it says "watches not
supported at this time" or maybe something like "watches unavailable, waiting
for kernel support" so users know it is something that will be fixed in the future.
The 2.6.18rc7 kernel has all the features for file watches.
audit 1.2.7 was built for FC5 & FC6. It provides the user space side of the
audit system from the 2.6.18 kernel. Please upgrade both packages when they are
released. Thanks for reporting the problem.