Does the auditctl command create audit rules that are persistent across reboots
Issue
- Does the auditctl command create audit rules that are persistent across reboots
- Using
auditctlto enter theauditrecord and it works perfectly except that it is not persistent across reboots
Resolution
- The
auditctlcommand does not add rules into the/etc/audit/audit.rulesfile on disk and therefore commands run are not persistent across reboots
Root Cause
/etc/audit/audit.rulesis read on boot and when restarting theauditdservice to load audit rules into the auditing subsystem which makes calls to the kernel
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments