error in line 5 of /etc/audit/audit.rules RHEL5u3
I'm receiving an error when trying to start/restart my auditd service. It was working until I made a few changes. I'm running RHEL5u3. Any suggestions? I've commented out line 5 and I still get the same error. I think it might be a bug, but don't really know for sure.
======
Starting auditd: [FAILED]
There was an error in line 5 of /etc/audit/audit.rules
=======
My /etc/audit/audit.rules
==========
# This is a sample rule set. The rules are executed from top
# to bottom. A '#' denotes comments. The rules are basically
# the auditctl commandline parameters.
# Remove existing rules
-D
# Enable auditing
-e 1
# Increase kernel buffer size
-b 8192
# Failure of auditd causes a kernel panic
-f 2
#
# Audit1: audit accesses to security relevant files
#
# watch passwd databases
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/group -p wa
# pam configuration
-w /etc/pam.d
# auditd configuration
#-w /etc/auditd.conf
#-w /etc/audit.rules
# watch utmp,wtmp
-w /var/run/utmp
-w /var/run/wtmp
# watch system log files
-w /var/log/messages
-w /var/log/audit/audit.log
-w /var/log/audit/audit[1-4].log
# watch audit subsystem's configuration files
-w /etc/auditd.conf -p wa
-w /etc/audit.rules -p wa
# SELinux configuration
-w /etc/selinux/config -p wa
# login records
-w /var/log/lastlog
-w /var/log/faillog
# login configuration
-w /etc/login.defs
# init configuration
-w /etc/rc.d/init.d
-w /etc/inittab -p wa
# sshd configuration
-w /etc/ssh/sshd_config
# audit creating new directories
-a exit,always -S mkdir -F auid!=0
# audit chmod,chown for non-root users
-a exit,always -S chmod -S fchmod -F auid!=0
-a exit,always -S chown -S fchown -S lchown -F auid!=0
# changes to security labels
-a exit,always -S setxattr -S lsetxattr -S fsetxattr
-a exit,always -S removexattr -S lremovexattr -S fremovexattr
|