Red Hat Bugzilla – Bug 447630
auditctl -w /path -F arch=... not allowed
Last modified: 2008-11-20 16:24:06 EST
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. auditctl -a exit,always -F path=/etc/anacrontab -F arch=i386 -S afs_syscall
2. auditctl -w /etc/anacrontab -F arch=i386 -S afs_syscall -k mydir
2. fails with "-F arch must be before -S"
2. succeeds - 1. and 2. are really the same rule.
The second form is expected to fail. The -w rule construct is for backwards
compatibility with RHEL4. Its limited to just -k and -p options. Any other
option should fail.
To use the advanced features of the new rule/watch system, you should express
the rules in the form of syscall auditing with a path or dir field option.
Thanks, I have modified system-config-audit to respect these rules. Other users
might find them useful, please document them in auditctl(8).
The existing error message should be more general, currently the error message
reports something that obviously isn't true.
I agree that this could be better explained. I'll see if we can update the man
pages as well as auditctl.
A better explanation was added in svn commit 193. Closing this out. Thanks for pointing out the documentation problem.