<html><head></head><body><div class="ydpb45cb906yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div dir="ltr" data-setdir="false">When building a new RHEL v7.8 VM manually, I set up the rules desired in /etc/audit/rulesd/audit.rules, no other changes (because I've wanted to narrow down the issue). After subsequent reboots, with no further changes to any audit rules either; I monitor /var/log/messages and I see occurrences like this:</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><div dir="ltr" data-setdir="false">Sep 22 09:04:24 hostxyz augenrules: /sbin/augenrules: No change<br><div>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: No rules</div><div>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: enabled 1</div><div>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: failure 1</div><div>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: pid 1242</div><div>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: rate_limit 0</div><div>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: backlog_limit 16384</div><div>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: lost 56</div><div>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: backlog 1</div><div>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: enabled 1</div><div>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: failure 2</div><div>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: pid 1242</div><div>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: rate_limit 0</div><div>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: backlog_limit 16384</div><div>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: lost 56</div><div>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: backlog 0</div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: usage: auditctl [options]</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -a <l,a>            Append rule to end of <l>ist with <a>ction</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -A <l,a>            Add rule at beginning of <l>ist with <a>ction</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -b <backlog>        Set max number of outstanding audit buffers</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: allowed Default=64</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -c                  Continue through errors in rules</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -C f=f              Compare collected fields if available:</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: Field name, operator(=,!=), field name</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -d <l,a>            Delete rule from <l>ist with <a>ction</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: l=task,exit,user,exclude</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: a=never,always</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -D                  Delete all rules and watches</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -e [0..2]           Set enabled flag</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -f [0..2]           Set failure flag</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: 0=silent 1=printk 2=panic</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -F f=v              Build rule: field name, operator(=,!=,<,>,<=,</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: >=,&,&=) value</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -h                  Help</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -i                  Ignore errors when reading rules from file</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -k <key>            Set filter key on audit rule</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -l                  List rules</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -m text             Send a user-space message</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -p [r|w|x|a]        Set permissions filter on watch</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: r=read, w=write, x=execute, a=attribute</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -q <mount,subtree>  make subtree part of mount point's dir watches</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -r <rate>           Set limit in messages/sec (0=none)</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -R <file>           read rules from file</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -s                  Report status</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -S syscall          Build rule: syscall name or number</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -t                  Trim directory watches</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -v                  Version</b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -w <path>           Insert watch at <path></b></div><div><b>Sep 22 09:04:24  <span><span>hostxyz </span></span>augenrules: -W <path>           Remove watch at <path></b></div><div dir="ltr" data-setdir="false"><b>Sep 22 09:04:24  <span><span><span>hostxyz </span></span></span>augenrules: --loginuid-immutable  Make loginuids unchangeable once set</b></div><div><b>Sep 22 09:04:24  <span><span><span>hostxyz </span></span></span>augenrules: --reset-lost         Reset the lost record counter</b></div><div>Sep 22 09:04:24  <span><span><span>hostxyz </span></span></span>systemd: Started Security Auditing Service.</div></div><div><br></div><div dir="ltr" data-setdir="false">The 'usage' of auditctl is invoked the one time in the 'try_load' function of augenrules.  Manual executions of "/sbin/auditctl -R /etc/audit/audit.rules', results in essentially the same behavior on the terminal as found in /var/log/messages.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Should execution of augenrules seemingly error-out on invocation of auditctl like this?</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Thank you.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">R,</div><div dir="ltr" data-setdir="false">-Joe Wulf<br></div></div></div></body></html>