Red Hat Bugzilla – Bug 495711
Some audit rules will not load even though they are correct
Last modified: 2010-10-14 04:11:57 EDT
Description of problem:
Some audit rules fail to work. For example:
auditctl -a exit,always -F arch=b64 -S pread -F 'ppid=1'
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. auditctl -a exit,always -F arch=b64 -S pread -F 'ppid=1'
ppid=1 can only be used with exit and entry filter list
rule loaded into kernel
audit-1.7.7-6.el5.3.2 was built to resolve this problem.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.