Hi, I am back again.

I have some experience and a great deal more comfort with the Linux Audit configurations nowadays. I learned an aweful lot by working with CentOS-6; however, this question is focused purely on RHEL-7.

In RHEL-6, audit rules were added directly to /etc/audit/audit.rules, but it seems that it is a requirement in RHEL-7 to be placed directly in a file (any file?) within /etc/audit/rules.d/.

I discovered this by doing some man-page reading of the audit.rules file after my RHEL-6-variant understanding was turned on its ear. So, I created an /etc/audit/rules.d/audit.rules and added my rules in there.

I ensured that I set "-e 1" because the value wasn't already set. I added a watch rules (-w) and it at first didn't take effect; so then realized, "this is RHEL-7, I have to use systemctl to restart services."

That also didn't work. I tested with auditctl -l and looked for my new rules (only 2 of them); so a reboot was committed for something else by a coworker, and then the auditctl -l command actually did display updated rules. This is very confusing, but I thought nothing more about it, figuring it is a flaw somewhere.

Anyway, today I added an action rule (-a/Syscall Rule) and it too has not taken effect; not after a service auditd restart, not after a systemctl restart auditd.service, just nothing. I also recently read in a community post, today, that systemctl doesn't handle the restart of auditd very well (the comment came from you Mr. Grubb).

I cannot reboot the server yet, and quite frankly I don't want to be forced to reboot the server everytime I add a rule - it's a lab, not production.

Can someone please tell me what I am doing so wrong, with respect to handling audit configurations on a RHEL-7 system, and tell me how to work the processes correctly?

Thanks,

--------------------------
Warron French