Auditing file access below a directory

[Steve G]

>I am using the default that is in RHEL 4 which is 1.0.3.  Should this version
>work or do I need to upgrade to 1.1-1?

1.0.3 does work. The other component is the kernel since it is what actually
performs the audit. You should be using the -22 kernel at a minimum. My guess is
that you don't have the rule exactly right. I would need know the dir that you
are wanting to audit, to see the output of mount to see your mount table, the
output of running stat on the partition to determine the major & minor numbers,
and auditctl -l to see what is in effect. You can send it off list if you need me
to help.

>If I do need to upgrade then do you know how to uninstall the previous >version?

You do not need to upgrade. 1.0.12 is the version for FC4 & RHEL4. 1.1 is for FC5
and future RHEL.

>I tried to install 1.1-1 but after the --rebuild I tried to double-click >the
RPMs and it complained about the 1.0.3 version wanted its lib rpm.

You should just be able to do rpm -Fvh /path-to-rpms/audit-*   The audit srpm
produces 3 packages. Do not upgrade RHEL4 to 1.1.

Hope this helps...

-Steve


		
__________________________________ 
Yahoo! Music Unlimited 
Access over 1 million songs. Try it free. 
http://music.yahoo.com/unlimited/