Hello, I am writing a Puppet Module to deliver updates of audit.rules and auditd.conf configurations to RHEL6 and RHEL7 machines.
The files are laid down correctly for both RHEL6 and RHEL7 within the appropriate directories: - RHEL6 = /etc/audit/audit.rules, for - RHEL7 = /etc/audit/rules.d/audit.rules Anyway, the results for all RHEL7 machines (client versus Server) are perfect. The audit.rules are all laid down as expected, and after a reboot of the system the rules are all 100% in place - just as I need. The problem is when they are laid down on RHEL6 clients versus Servers, the behaviors are very different. For RHEL6 clients I have the following intentions and loaded into memory: 118 (-a) Action Rules in audit.rules file 118 Action Rules are loaded into memory (YAY!) * 15 (-w) Watch Rules* in audit.rules file * 15 Watch Rules are loaded into memory* (YAY!) 133 Total Rules in audit.rules files 133 Total Rules into memory (YAY!) For RHEL6 Server; however, I have the following results: 118 (-a) Action Rules in audit.rules file 105 Action Rules are loaded into memory (FAIL) * 15 (-w) Watch Rules* in audit.rules file * 0 Watch Rules are loaded into memory* (HUGE FAIL) 133 Total Rules in audit.rules files 105 Total Rules into memory (YAY!) This is really a big problem for me. Can someone help? -------------------------- Warron French
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
