Hi, I am back again. I have some experience and a great deal more comfort with the Linux Audit configurations nowadays. I learned an aweful lot by working with CentOS-6; however, this question is focused purely on RHEL-7.
In RHEL-6, audit rules were added directly to */etc/audit/audit.rules*, but it seems that it is a requirement in RHEL-7 to be placed directly in a file (any file?) within */etc/audit/rules.d/.* I discovered this by doing some man-page reading of the audit.rules file after my RHEL-6-variant understanding was turned on its ear. So, I created an */etc/audit/rules.d/audit.rules* and added my rules in there. I ensured that I set "-e 1" because the value wasn't already set. I added a watch rules (-w) and it at first didn't take effect; so then realized, "*this is RHEL-7, I have to use **systemctl* to restart services." That also didn't work. I tested with auditctl -l and looked for my new rules (only 2 of them); so a reboot was committed for something else by a coworker, and then the *auditctl -l* command actually did display updated rules. This is very confusing, but I thought nothing more about it, figuring it is a flaw somewhere. Anyway, today I added an action rule (-a/Syscall Rule) and it too has not taken effect; not after a *service auditd restart*, not after a *systemctl restart auditd.service*, just nothing. I also recently read in a community post, today, that systemctl doesn't handle the restart of auditd very well (the comment came from you Mr. Grubb). I cannot reboot the server yet, and quite frankly I don't want to be forced to reboot the server everytime I add a rule - it's a lab, not production. Can someone please tell me what I am doing so wrong, with respect to handling audit configurations on a RHEL-7 system, and tell me how to work the processes correctly? Thanks, -------------------------- Warron French
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
