Does the auditctl command create audit rules that are persistent across reboots
Issue
- Does the auditctl command create audit rules that are persistent across reboots
- Using
auditctl
to enter theaudit
record and it works perfectly except that it is not persistent across reboots
Resolution
- The
auditctl
command does not add rules into the/etc/audit/audit.rules
file on disk and therefore commands run are not persistent across reboots
Root Cause
/etc/audit/audit.rules
is read on boot and when restarting theauditd
service to load audit rules into the auditing subsystem which makes calls to the kernel
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments