Description of problem: man auditctl: ... -a list,action Append rule to the end of list with action. Please note the comma separating the two values. ... man audit.rules: ... -a action,list -S syscall -F field=value -k keyname The -a option tells the kernel’s rule matching engine that we want to append a rule and the end of the rule list. ... Additionally both options do work: # auditctl -a entry,always -F arch=b32 -S execve -F euid=0 # auditctl -a always,entry -F arch=b32 -S execve -F uid=0 # auditctl -l LIST_RULES: entry,always arch=1073741827 (0x40000003) euid=0 syscall=execve LIST_RULES: entry,always arch=1073741827 (0x40000003) uid=0 syscall=execve This seems to have been fixed upstream: https://fedorahosted.org/audit/changeset/418 And this fix is due to be included in RHEL6.1 Version-Release number of selected component (if applicable): audit-1.7.17-3.el5 How reproducible: always Steps to Reproduce: 1. man auditctl 2. man audit.rules
audit-1.8-1.el5 was built to address this problem.
Patch was missing - now fixed in audit-1.8-2.el5.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0265.html