Red Hat Bugzilla – Bug 491344
auditctl fails to parse multiple syscall options
Last modified: 2009-04-21 12:45:55 EDT
Description of problem:
auditctl fails to parse comma separated syscall list as -S argument, contrary to man page.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. [root@XXX ~]# auditctl -S open,close
Syscall name unknown: open,close
auditctl fails add audit rule.
auditctl should add audit rule.
man page indicates that this syntax is valid.
-S [Syscall name or number|all]
Any syscall name or number may be used. The word 'all' may also
You may also specify multiple syscalls in the same rule as a
comma separated list with
no spaces in between. Doing so improves performance since fewer
rules need to be evaluated.
Workaround: specify multiple -S options (... -S open -S close ...)
Oops. That should be against audit-1.7.7-6.el5. Need more coffee.
This looks like a man page error that was corrected in the 5.3 release. The auditctl man page looks like it was corrected sometime before the 1.7.7 release. This is the man page's raw form:
It says to use multiple '-S' options. So, I think we can close this one. If you do have 1.7.7-6 installed, you may want to check that the man page was really updated, rpm -qV audit.
Closing since it appears to be fixed. Thanks for reporting the bug.