Description of problem: auditctl fails to parse comma separated syscall list as -S argument, contrary to man page. Version-Release number of selected component (if applicable): audit-1.6.5-9.el5 How reproducible: Steps to Reproduce: 1. [root@XXX ~]# auditctl -S open,close Syscall name unknown: open,close Actual results: auditctl fails add audit rule. Expected results: auditctl should add audit rule. Additional info: man page indicates that this syntax is valid. -S [Syscall name or number|all] Any syscall name or number may be used. The word 'all' may also be used. [...] You may also specify multiple syscalls in the same rule as a comma separated list with no spaces in between. Doing so improves performance since fewer rules need to be evaluated. [...]
Workaround: specify multiple -S options (... -S open -S close ...)
Oops. That should be against audit-1.7.7-6.el5. Need more coffee.
This looks like a man page error that was corrected in the 5.3 release. The auditctl man page looks like it was corrected sometime before the 1.7.7 release. This is the man page's raw form: https://fedorahosted.org/audit/browser/tags/audit-1.7.7/docs/auditctl.8#L92 It says to use multiple '-S' options. So, I think we can close this one. If you do have 1.7.7-6 installed, you may want to check that the man page was really updated, rpm -qV audit. Closing since it appears to be fixed. Thanks for reporting the bug.