The audit rule is invalid when the folder in the rule is missing.

Solution Verified - Updated -

Issue

  • The audit rule is invalid when the folder in the rule is missing.
    For example:

    # ll /root/test/test1
ls: cannot access '/root/test/test1': No such file or directory
# ll /root/test/
ls: cannot access '/root/test/': No such file or directory
# grep test /etc/audit/rules.d/audit.rules 
-w /root/test/test1/ -p warx -k test
# service auditd restart
Stopping logging: 
Redirecting start to /bin/systemctl start auditd.service
# auditctl -l
No rules

Environment

  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • auditd

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content