audit.rules not fully loading into memory according to auditctl -l

Steve Grubb sgrubb at redhat.com
Wed Apr 12 17:22:37 UTC 2017 

On Wednesday, April 12, 2017 12:51:03 PM EDT warron.french wrote:
> Hello, I am writing a Puppet Module to deliver updates of audit.rules and
> auditd.conf configurations to RHEL6 and RHEL7 machines.
> 
> The files are laid down correctly for both RHEL6 and RHEL7 within the
> appropriate directories:
> 
>    - RHEL6 = /etc/audit/audit.rules, for
>    - RHEL7 = /etc/audit/rules.d/audit.rules
> 
> Anyway, the results for all RHEL7 machines (client versus Server) are
> perfect.  The audit.rules are all laid down as expected, and after a reboot
> of the system the rules are all 100% in place - just as I need.
> 
> The problem is when they are laid down on RHEL6 clients versus Servers, the
> behaviors are very different.
> 
> For RHEL6 clients I have the following intentions and loaded into memory:
> 
> 118 (-a) Action Rules in audit.rules file        118 Action Rules are
> loaded into memory (YAY!)
> 
> * 15 (-w) Watch Rules* in audit.rules file       *  15 Watch Rules are
> loaded into memory* (YAY!)
> 
> 133 Total Rules in audit.rules files              133 Total Rules into
> memory (YAY!)
> 
> 
> For RHEL6 Server; however, I have the following results:
> 
> 118 (-a) Action Rules in audit.rules file    105 Action Rules are loaded
> into memory (FAIL)
> 
> * 15 (-w) Watch Rules* in audit.rules file    *   0  Watch Rules are loaded
> into memory* (HUGE FAIL)
> 
> 133 Total Rules in audit.rules files           105 Total Rules into memory
> (YAY!)
> 
> 
> This is really a big problem for me.  Can someone help?

Was there anything in syslog from auditctl? 

When auditctl runs across a rule with syntax errors, the default action is to 
log it and stop. This way it causes the most noticeable thing to happen. 
However, some people don't like this behavior so they pass a '-c' option near 
the beginning of the rules. This causes it to keep processing but ultimately 
return an error at exit. Some people didn't like that auditctl returned an 
error, so the '-i' option was created for people that can't be bothered with 
failure even in the face of failure.

Check for a syntax error in the rules. It should be in syslog.

-Steve

More information about the Linux-audit mailing list