Description of problem: When trying to set a watch on a directory or file as shown in sample.rules, I receive the following error message: Error sending watch insert request (Invalid argument) This error message occurs when trying to configure the watch in /etc/audit.rules with the line: -w /var/log/audit/audit.log -k AUDIT_LOG It also occurs when using the auditctl command to add the watch. Version-Release number of selected component (if applicable): # rpm -q audit audit-1.1.5-1 How reproducible: Always Steps to Reproduce: 1.Modify /etc/audit.rules to include watch 2.Start or restart auditd 3.See error message Actual results: Error message Expected results: Successful addition of watch and audit messages about changes to files in directory Additional info:
File system watch support depends on the kernel you are running. For fedora, we are hoping to have it all upstream in the 2.6.18 kernel. The people doing netlink communication changed the protocol in 2.6.16 and audit 1.1.5 doesn't understand the reply and prints the message you are getting. It used to say watches not supported. The plan we are working is to try to get watches stabilized for inclusion in the next kernel and then update fedora so that it all works when the right kernel finally gets loaded. Do you want me to patch 1.1.5 so that it says "watches not supported"?
Thanks for letting me know why it doesn't work. If it is going to be a while before watches work again, it would save others time if it says "watches not supported at this time" or maybe something like "watches unavailable, waiting for kernel support" so users know it is something that will be fixed in the future.
The 2.6.18rc7 kernel has all the features for file watches.
audit 1.2.7 was built for FC5 & FC6. It provides the user space side of the audit system from the 2.6.18 kernel. Please upgrade both packages when they are released. Thanks for reporting the problem.