rules.d on RHEL6
Steve Grubb
sgrubb at redhat.com
Wed Apr 12 15:51:48 UTC 2017
On Wednesday, April 12, 2017 10:18:55 AM EDT warron.french wrote:
> It appears that this directory is not used at all on RHEL6.
>
> I know I have mentioned this before; but it's true. If I *move* my copy of
> audit.rules from /etc/audit into the subdirectory rules.d and restart
> audit; the audit.rules file is not recopied/regenerated or whatever by the
> auditd.
>
> This behavior is different from RHEL7; where if you delete the
> /etc/audit/audit.rules file or move it to /etc/audit/rules.d/audit.rules;
> the auditd functions as I expect.
This is mostly correct. The issue with RHEL 6 is that the augenrules program
didn't exist when RHEL 6 was originally shipped. So, it would have been bad
and unexpected for the behavior to suddenly change during an update to a
shipped product. However, augenrules is useful and for anyone that wants to
use it on RHEL 6 they may do so by opting in.
If you read the text in /etc/sysconfig/auditd you will see an explanation of
how to enable augenrules.
-Steve
> Can someone please correct my understanding? Is the /etc/audit/rules.d
> directory not supposed to be usable in RHEL6; but is in RHEL7?
> --------------------------
> Warron French
More information about the Linux-audit
mailing list