&gt;You have a race condition where auditd gets a signal to shutdown and an event<br>&gt;indicating that shutdown is occurring. On shutdown, the audit daemon does not<br>&gt;alter the rules or whether auditing is enabled. (This was to get shutdown AVCs<br>&gt;for selinux.) There is a chance that your event is in syslog&#39;s files.<div><br></div><div><br></div><div>For clarity, I am still not sure whether audit rules can be written to monitor auditd/auispd killed or not (syslog was disabled under my circumstances ).</div><div> If yes, could you give me some tips? Thanks.</div><div><br><br></div>