Hello, I am writing a Puppet Module to deliver updates of audit.rules and
auditd.conf configurations to RHEL6 and RHEL7 machines.
The files are laid down correctly for both RHEL6 and RHEL7 within the
appropriate directories:
- RHEL6 = /etc/audit/audit.rules, for
- RHEL7 = /etc/audit/rules.d/audit.rules
Anyway, the results for all RHEL7 machines (client versus Server) are
perfect. The audit.rules are all laid down as expected, and after a reboot
of the system the rules are all 100% in place - just as I need.
The problem is when they are laid down on RHEL6 clients versus Servers, the
behaviors are very different.
For RHEL6 clients I have the following intentions and loaded into memory:
118 (-a) Action Rules in audit.rules file 118 Action Rules are
loaded into memory (YAY!)
* 15 (-w) Watch Rules* in audit.rules file * 15 Watch Rules are
loaded into memory* (YAY!)
133 Total Rules in audit.rules files 133 Total Rules into
memory (YAY!)
For RHEL6 Server; however, I have the following results:
118 (-a) Action Rules in audit.rules file 105 Action Rules are loaded
into memory (FAIL)
* 15 (-w) Watch Rules* in audit.rules file * 0 Watch Rules are loaded
into memory* (HUGE FAIL)
133 Total Rules in audit.rules files 105 Total Rules into memory
(YAY!)
This is really a big problem for me. Can someone help?
--------------------------
Warron French