Why are audit watch rules removed when the immutable flag is set?

Solution Verified - Updated -

Issue

  • Audit watch rules are removed even when the lock configuration '-e 2' has been implemented
# auditctl -s
AUDIT_STATUS: enabled=2 flag=1 pid=3543 rate_limit=0 backlog_limit=320 lost=0 backlog=0

/var/log/messages

...
Mar 21 21:00:24 <kern.notice> localhost kernel:type=1305 audit(1453381224.790:35952951): auid=4294967295 ses=4294967295 op="remove rule" key="FILE_A" list=4 res=1
Mar 21 21:00:24 <kern.notice> localhost kernel:type=1305 audit(1453381224.790:35952952): auid=4294967295 ses=4294967295 op="remove rule" key="FILE_B" list=4 res=1

/etc/audit/rules.d/audit.rules

-w /appl/script/job/service/restart_service -p w -k FILE_A
-w /appl/script/job/service/restart_service -p x -k FILE_B

Environment

  • Red Hat Enterprise Linux (All Versions)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content