Behaviour of /etc/audit/rules.d in RHEL5 and RHEL6.

Solution Verified - Updated -

Issue

  • Does /etc/audit/rules.d directory exists in RHEL5
  • Does audit read rules inside /etc/audit/rules.d on Red Hat Enterprise Linux 5?
  • /etc/audit/rules.d directory exists in RHEL6. so does any rules placed in files in /etc/audit/rules.d
    directory be read by auditd daemon?
  • Is there a way to prevent auditd from reading the files places in /etc/audit/audit.d directory?
  • If there are multiple files in /etc/audit/rules.d, in which sequence would auditd reads the files placed in that directory? based on alphanumeric order? e.g. files with file names starting with "a" would be read before files with filen ames starting with "b"? files with filenames starting with "0" would be read before files with file names starting with "1"?
  • In RHEL6, if i place my audit rules in /etc/audit/audit.rules and the /etc/audit/audit.d/audit.rules file contains "-D" as the first line. Does that mean that all the rules in /etc/audit/audit.rules are ignored by auditd ? Or does it mean that all rules placed before "-D" within the same file are ignored?

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Auditd

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content