On the TODO list you might add a way to delete all rules with auditctl (maybe a -D switch?). The current removal method, rule by rule, is awkward and error-prone due to the format of output using the -l switch. (I hope I didn't miss something in a man page). -Tom Browder