Audit not logging SuSE 10.1
I am trying to get Audit to log on my SuSE 10.1. We have the same box running SuSE 11 and it works fine, but cannot seem to get it working on 10.
I tried to upload the nispom.rules and stig.rules to /etc, perform a reboot then issue auditctl -l and it returns "no rules...File System watches not supported".
Auditctl -e returns "enabled=1 flag=1 pid=3598 rate_limit=0 backlog_limit=64 lost=0 backlog=0" so it appears auditd is enabled just not logging.
I also checked /etc/sysconfig/auditd and found the value AUDITD_DISABLE_CONTEXTS = YES. I changed this to NO and did a reboot again but still the audit.log was not filling up with any event.
It appears after each reboot the audit.log file grows with the same set of information but then never actually continues to audit/grow.
One thing I did notice was the nispom.rules and stig.rules files I found said it should be placed in /etc/audit/audit.rules but this is SuSE 10 and the default file is in /etc/audit.rules. Are these rule sets the same between 10 and 11? They appear to be.
Any suggestions appreciated.
Thanks
|