Categories
Linux SUSE

SUSE, Fedora – Auditd rules does not seem to work

Errors Seen

None of the custom rules set in /etc/audit/rules.d/ seems to be accepted, despite being shown when running auditctl -l

This issue has been seen on SUSE Linux Enterprise Server (SLES) 15 SP2 and Fedora 22 and onward.

Why

A default rule set in /etc/audit/rules.d/audit.rules disables any rules using SYSCALL, which overrides any other rules set.

## This suppresses syscall auditing for all tasks started
## with this rule in effect.  Remove it if you need syscall
## auditing.
-a task,never

This was added to minimize logging of auditd.

Solution

Edit /etc/audit/rules.d/audit.rules and comment out -a task,never.

The entirety of the file should look like this, if no changes have been made:

## This suppresses syscall auditing for all tasks started
## with this rule in effect.  Remove it if you need syscall
## auditing.
#-a task,never

Leave a Reply

Your email address will not be published. Required fields are marked *