From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: rules.d on RHEL6 Date: Wed, 12 Apr 2017 11:51:48 -0400 Message-ID: <2119234.s8ps4zJtJ9@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday, April 12, 2017 10:18:55 AM EDT warron.french wrote: > It appears that this directory is not used at all on RHEL6. > > I know I have mentioned this before; but it's true. If I *move* my copy of > audit.rules from /etc/audit into the subdirectory rules.d and restart > audit; the audit.rules file is not recopied/regenerated or whatever by the > auditd. > > This behavior is different from RHEL7; where if you delete the > /etc/audit/audit.rules file or move it to /etc/audit/rules.d/audit.rules; > the auditd functions as I expect. This is mostly correct. The issue with RHEL 6 is that the augenrules program didn't exist when RHEL 6 was originally shipped. So, it would have been bad and unexpected for the behavior to suddenly change during an update to a shipped product. However, augenrules is useful and for anyone that wants to use it on RHEL 6 they may do so by opting in. If you read the text in /etc/sysconfig/auditd you will see an explanation of how to enable augenrules. -Steve > Can someone please correct my understanding? Is the /etc/audit/rules.d > directory not supposed to be usable in RHEL6; but is in RHEL7? > -------------------------- > Warron French