Auditd service restart overrides changes made to /etc/audit/audit.rules

Solution Verified - Updated -


  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • audit-libs-2.3.7-5


When I try to update /etc/audit/audit.rules, auditd service restart causes the new rules I'm trying to add to be replaced by the initial ruleset.


  • Audit rules files should be placed in /etc/audit/rules.d
  • File names should end with ".rules"


  • Red Hat Enterprise Linux 6

    • Set USE_AUGENRULES=no in /etc/sysconfig/auditd
    • Restart the auditd service: service auditd restart
  • Red Hat Enterprise Linux 7

    • Copy file /usr/lib/systemd/system/auditd.service to /etc/systemd/system/auditd.service
    • Edit /etc/systemd/system/auditd.service according to the comments in the file
     ## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
     ## and comment/delete the next line and uncomment the auditctl line.
     ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
     ExecStartPost=-/sbin/augenrules --load
     #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
    • Reload systemd daemon to reload changes made in auditd service unit file:
    $ systemctl daemon-reload
    • Restart the auditd service: service auditd restart

Root Cause

  • With audit-libs-2.3.7-5,the augenrules utility support has been added to the audit packages.
  • From augenrules man page
augenrules is a script that merges all component audit rules files, found in the audit rules directory, /etc/audit/rules.d, placing the merged file in
/etc/audit/audit.rules. Component audit rule files, must end in .rules in order to be processed. All other files in /etc/audit/rules.d are ignored.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.


Commenting out the augenrules line is not honored until the server is rebooted or you run systemctl daemon-reload to force systemd to reload the service configuration file.

For RHEL 7.2: move the file /usr/lib/systemd/system/auditd.service to /etc/systemd/system/auditd.service to prevent the old file from calling augenrules then from /etc/systemd/system/auditd.service remove the comment from ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules save it

and clear old rules from /etc/audit/audit.rules. Then systemctl daemon-reload followed by service auditd restart Finally: service auditd status To show the following below. Active: active (running) since Tue 2016-07-05 18:49:51 UTC; 1s ago Process: 8377 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS)