Why are audit watch rules removed when the immutable flag is set?

Solution Verified - Updated -

Issue

  • Audit watch rules are removed even when the lock configuration '-e 2' has been implemented
# auditctl -s
AUDIT_STATUS: enabled=2 flag=1 pid=3543 rate_limit=0 backlog_limit=320 lost=0 backlog=0

/var/log/messages

...
Mar 21 21:00:24 <kern.notice> localhost kernel:type=1305 audit(1453381224.790:35952951): auid=4294967295 ses=4294967295 op="remove rule" key="FILE_A" list=4 res=1
Mar 21 21:00:24 <kern.notice> localhost kernel:type=1305 audit(1453381224.790:35952952): auid=4294967295 ses=4294967295 op="remove rule" key="FILE_B" list=4 res=1

/etc/audit/rules.d/audit.rules

-w /appl/script/job/service/restart_service -p w -k FILE_A
-w /appl/script/job/service/restart_service -p x -k FILE_B

Environment

  • Red Hat Enterprise Linux (All Versions)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.