Question about updating audit.rules

Steve Grubb sgrubb at redhat.com
Thu Jun 23 03:16:54 UTC 2016


On Wednesday, June 22, 2016 07:56:23 PM warron.french wrote:
> I am writing puppet modules for work now. I am writing a module
> specifically oriented around audit for Linux and Solaris.
> 
> But I would like to know is after updating audit.rules in Linux with
> immutable mode turned on; is a restart of the audit process actually
> required for the rules to take effect.

In immutable mode, a REBOOT is required to reload audit rules. In immutable 
mode, the rules are locked into the kernel. So, the kernel needs restarting.

-Steve




More information about the Linux-audit mailing list