1

I am setting audit rules in /etc/audit/audit.rules.

As the requirement : The audit system should be configured to audit all administrative, privileged, and security actions.

So I add one line into /etc/audit/auditd.rules:

-a exit,always -S stime -S acct -S reboot -S swapon

However, after I restart audit.d by service auditd restart:

There is error comeout:
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]
Syscall name unknown: stime
There was an error in line 14 of /etc/audit/audit.rules

It seems stime can't be recognized. Could anybody help me to find out what is wrong with my added rule? Thanks a lot!

zhaojing
  • 195
  • 2
  • 3
  • 11

3 Answers3

4

By chance are you running 64 bit? You might need to qualify the architecture.

So -a exit,always -F arch=b32 -S stime

Let me know.

Cary Golomb
  • 153
  • 1
  • 1
  • 8
  • Don't forget you can check if an audit is in a certain architecture by running the ausyscall stime x86_64 OR ausyscall stime i686 – Jason Apr 06 '12 at 21:01
0

Got the same on Alpine (64-bit), had to do:

-a exit,always -F arch=b64 -S stime
Justin Godesky
  • 101
  • 1
0

Shouldn't you add this to /etc/audit/audit.rules instead?

Janne Pikkarainen
  • 31,852
  • 4
  • 58
  • 81
  • I'm sorry, in fact, I add it into /etc/audit/audit.rules. But I didn't say clearly in the question. – zhaojing Sep 10 '10 at 08:21