Hello all,

I am trying to add the following functionality to auditd (via audit.rules) using
the following rules, but the rules don't work on my RHEL ES 4 system (fully
patched). Could someone look at them and tell me what I am doing wrong, or where
I can read how to do it right?

1)
# Ensures that any reads of the audit log by the current user that's logged is
# audited. It might be beneficial to create a rule for each of the 5 logs
# that are generated.

RULE:
-w /var/log/audit/audit.log -p r -F auid=-1

ERROR:
List must be given before field

2)
# Ensures that any user who mounts or unmounts a device is audited

RULE:
-a exit,always -S mount -S umount

ERROR:
Syscall name unknown: umount

3)
# ensures auditing whenever the reboot command is sent to the kernel

RULE:
-a always,entry -S socketcall -F a0=13

ERROR:
Syscall name unknown: socketcall

4)
# Ensures auditing of any unauthorized access to roots home directory.

RULE:
-w /root -p rw -F uid!=0

ERROR:
List must be given before field

5)
#Ensure that failed use of the following system calls is audited

RULE:
-a exit,always -S quotactl -S mount -S stime -S kill -S chroot -F success=0 -F
auid=-1 -F auid=0

ERROR:
Syscall name unknown: stime

TIA,

Bill Tangren