Audit Rule Configuration not Reflected – How to troubleshoot

We have added new audit rules to the configuration file /etc/audit/rules.d/audit.rules as shown below:

ban2
# vi /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -S clock_settime -k time-change
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale

But, these configurations does not reflected.

# auditctl -l
No rules

Note: On CentOS/RHEL 6, the configuration file is /etc/audit/audit.rules instead of /etc/audit/rules.d/audit.rules.

Solution

The first thing to check here is the rule’s syntax and correct if it is wrong. For example, you can manually run the rule you have configured in the configuration file. You should see the syntax error on the command line when you run the command. For example:

# auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -S clock_settime -k time-change
Syscall name unknown: stime
The audit system is in immutable mode, no rule changes allowed

Correct the rule argument “-S time” and restart the system. The restart is required to disable the auditd immutable mode.

ban4

Post reboot, all of the audit rule will reflect.

# auditctl -l
-a always,exit -F arch=x86_64 -S adjtimex,settimeofday,time,clock_settime -F key=time-change
-a always,exit -F arch=x86_64 -S sethostname,setdomainname -F key=system-locale

If you set the incorrect syntax in /etc/audit/rules.d/audit.rules configuration file, auditd stop the rule registration. So, all of the rules after incorrect syntax line, will not reflect.

Leave a Reply

Your email address will not be published. Required fields are marked *