audit 1.0.14 is much more polished than 0.8.1. It builds and works properly without newer kernel headers, with the following patch from the author: http://people.redhat.com/sgrubb/audit/audit-0.9.14-header.patch Furthermore, it builds and runs properly on amd64. Thanks.
Is there a newer version of this patch for audit-1.2.5? That would go a very long way. I tried this version with 1.2.5, and got this failure: ... auditctl.c: In function `audit_print_reply': auditctl.c:1046: error: `AUDIT_SE_USER' undeclared (first use in this function) auditctl.c:1046: error: (Each undeclared identifier is reported only once auditctl.c:1046: error: for each function it appears in.) auditctl.c:1047: error: `AUDIT_SE_CLR' undeclared (first use in this function) ...
I believe audit 1.2.5 requires a 2.6.18 kernel or newer to run properly. 1.0.14 is an acceptable stop-gap measure.
audit-1.2* will run fine on older kernels, so long as it builds in the first place. Which means headers newer than 2.6.17-git3, or a header patch updated from the current one you linked to.
On the flipside, audit-1.0* doesn't run very well on newer kernels, seems to keep dying.
(In reply to comment #4) > On the flipside, audit-1.0* doesn't run very well on newer kernels, seems to > keep dying. > I've been running 1.0.14 for 24 hours on amd64 (since I last rebooted) ... no issues at all. My audit log has grown to 27MB. Have you had problems with this specific version?
(In reply to comment #5) > I've been running 1.0.14 for 24 hours on amd64 (since I last rebooted) ... no > issues at all. My audit log has grown to 27MB. Have you had problems with > this specific version? Forgot to mention I am running 2.6.16
Ok, I'm a lot more bleeding edge there. With vanilla 2.6.17 and the git head of 2.6.18, it's not stable.
From the author: "1.2 has an api change. 1.0.14 works with the old passwd, pam, util-linux, shadow-utils patches. You need > 1.1 if you use current pam, passwd, or util-linux. The 1.2.5 version will work with old kernels." Current means, i.e. pam 0.99. The exception being if pam is compiled w/o audit support. Furthermore, he says that the patch to build on old kernels should be simple. Simply remove the include of linux/audit.h and insert the same file from a newer kernel into the build.
Ok, I tried to use the headers from the latest kernel, without success. 1.2.5 fails to build with 2.6.18-rc4. make[2]: Entering directory `/dev/shm/portage/audit-1.2.5/work/audit-1.2.5/src' powerpc-unknown-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../lib -D_REENTRANT -D_GNU_SOURCE -Os -mtune=970 -mcpu=970 -mabi=altivec -maltivec -pipe -Wstrict-aliasing -Wl,-O1 -c auditctl.c auditctl.c: In function 'audit_print_reply': auditctl.c:1046: error: 'AUDIT_SE_USER' undeclared (first use in this function) auditctl.c:1046: error: (Each undeclared identifier is reported only once auditctl.c:1046: error: for each function it appears in.) auditctl.c:1047: error: 'AUDIT_SE_CLR' undeclared (first use in this function) make[2]: *** [auditctl.o] Error 1 Those two constants are not anywhere in the current 2.6.18-rc4 sources.
Ok, 1.2.9 builds 100% now on other kernels and all my hardware (ppc64-32ul, amd64, x86), so it's going into the tree.
