audit.rules not fully loading into memory according to auditctl -l

[warron.french]

Hello, I am writing a Puppet Module to deliver updates of audit.rules and
auditd.conf configurations to RHEL6 and RHEL7 machines.

The files are laid down correctly for both RHEL6 and RHEL7 within the
appropriate directories:

   - RHEL6 = /etc/audit/audit.rules, for
   - RHEL7 = /etc/audit/rules.d/audit.rules

Anyway, the results for all RHEL7 machines (client versus Server) are
perfect.  The audit.rules are all laid down as expected, and after a reboot
of the system the rules are all 100% in place - just as I need.

The problem is when they are laid down on RHEL6 clients versus Servers, the
behaviors are very different.

For RHEL6 clients I have the following intentions and loaded into memory:

118 (-a) Action Rules in audit.rules file        118 Action Rules are
loaded into memory (YAY!)

* 15 (-w) Watch Rules* in audit.rules file       *  15 Watch Rules are
loaded into memory* (YAY!)

133 Total Rules in audit.rules files              133 Total Rules into
memory (YAY!)


For RHEL6 Server; however, I have the following results:

118 (-a) Action Rules in audit.rules file    105 Action Rules are loaded
into memory (FAIL)

* 15 (-w) Watch Rules* in audit.rules file    *   0  Watch Rules are loaded
into memory* (HUGE FAIL)

133 Total Rules in audit.rules files           105 Total Rules into memory
(YAY!)


This is really a big problem for me.  Can someone help?

--------------------------
Warron French
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170412/a708afa7/attachment.htm>