Missing audit entries in auditctl -l
I am following a "CIS Red Hat Enterprise Linux 7 Benchmark v 2.2.0" to secure a RHEL 7.4 installation. I have a script that creates /etc/audit/rules.d/audit.rules which includes the lines:
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
The guide above asks me to run the following commands to verify output:
grep identity /etc/audit/audit.rules
auditctl -l | grep identity
The first command works properly (and confirms that auditd loaded my file in rules.d. But the second command has no output. If I remove the grep, I do get output, but only the first half of the file created by the script. The next line would have been:
-a always,exit -F path=/usr/lib64/vte-2.90/gnome-pty-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
I don't see any errors in /var/log/messages, and I am not sure what the next step in troubleshooting would be...
Any suggestions?
Thank you!