But even if you successfully load rules early...you need a daemon to
collect
the results before the internal kernel buffer overflows and forever lose the
events. So, this means getting the audit daemon running earlier and its main
requirement is the MAC policy already be loaded and the disk system mounted
(perhaps networking running if you use remote logging).
Thanks, Steve.