Home / server / Questions / 179779
In Process
zhaojing
Asked: 2010-09-10 21:09:13 +0800 CST

problem of setting audit rules: Syscall name unknown: stime

  • 772

I am setting audit rules in /etc/audit/audit.rules.

As the requirement : The audit system should be configured to audit all administrative, privileged, and security actions.

So I add one line into /etc/audit/auditd.rules:

-a exit,always -S stime -S acct -S reboot -S swapon

However, after I restart audit.d by service auditd restart:

There is error comeout:
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]
Syscall name unknown: stime
There was an error in line 14 of /etc/audit/audit.rules

It seems stime can't be recognized. Could anybody help me to find out what is wrong with my added rule? Thanks a lot!

redhat security audit auditd

3 Answers

  1. By chance are you running 64 bit? You might need to qualify the architecture.

    So -a exit,always -F arch=b32 -S stime

    Let me know.

    • 4

  2. Shouldn't you add this to /etc/audit/audit.rules instead?

    • 0

  3. Got the same on Alpine (64-bit), had to do:

    -a exit,always -F arch=b64 -S stime
    • 0