Sep 22 09:04:24 hostxyz augenrules: /sbin/augenrules: No change
Sep 22 09:04:24 hostxyz augenrules: No rules
Sep 22 09:04:24 hostxyz augenrules: enabled 1
Sep 22 09:04:24 hostxyz augenrules: failure 1
Sep 22 09:04:24 hostxyz augenrules: pid 1242
Sep 22 09:04:24 hostxyz augenrules: rate_limit 0
Sep 22 09:04:24 hostxyz augenrules: backlog_limit 16384
Sep 22 09:04:24 hostxyz augenrules: lost 56
Sep 22 09:04:24 hostxyz augenrules: backlog 1
Sep 22 09:04:24 hostxyz augenrules: enabled 1
Sep 22 09:04:24 hostxyz augenrules: failure 2
Sep 22 09:04:24 hostxyz augenrules: pid 1242
Sep 22 09:04:24 hostxyz augenrules: rate_limit 0
Sep 22 09:04:24 hostxyz augenrules: backlog_limit 16384
Sep 22 09:04:24 hostxyz augenrules: lost 56
Sep 22 09:04:24 hostxyz augenrules: backlog 0
Sep 22 09:04:24 hostxyz augenrules: usage: auditctl [options]
Sep 22 09:04:24 hostxyz augenrules: -a <l,a> Append rule to end of <l>ist with <a>ction
Sep 22 09:04:24 hostxyz augenrules: -A <l,a> Add rule at beginning of <l>ist with <a>ction
Sep 22 09:04:24 hostxyz augenrules: -b <backlog> Set max number of outstanding audit buffers
Sep 22 09:04:24 hostxyz augenrules: allowed Default=64
Sep 22 09:04:24 hostxyz augenrules: -c Continue through errors in rules
Sep 22 09:04:24 hostxyz augenrules: -C f=f Compare collected fields if available:
Sep 22 09:04:24 hostxyz augenrules: Field name, operator(=,!=), field name
Sep 22 09:04:24 hostxyz augenrules: -d <l,a> Delete rule from <l>ist with <a>ction
Sep 22 09:04:24 hostxyz augenrules: l=task,exit,user,exclude
Sep 22 09:04:24 hostxyz augenrules: a=never,always
Sep 22 09:04:24 hostxyz augenrules: -D Delete all rules and watches
Sep 22 09:04:24 hostxyz augenrules: -e [0..2] Set enabled flag
Sep 22 09:04:24 hostxyz augenrules: -f [0..2] Set failure flag
Sep 22 09:04:24 hostxyz augenrules: 0=silent 1=printk 2=panic
Sep 22 09:04:24 hostxyz augenrules: -F f=v Build rule: field name, operator(=,!=,<,>,<=,
Sep 22 09:04:24 hostxyz augenrules: >=,&,&=) value
Sep 22 09:04:24 hostxyz augenrules: -h Help
Sep 22 09:04:24 hostxyz augenrules: -i Ignore errors when reading rules from file
Sep 22 09:04:24 hostxyz augenrules: -k <key> Set filter key on audit rule
Sep 22 09:04:24 hostxyz augenrules: -l List rules
Sep 22 09:04:24 hostxyz augenrules: -m text Send a user-space message
Sep 22 09:04:24 hostxyz augenrules: -p [r|w|x|a] Set permissions filter on watch
Sep 22 09:04:24 hostxyz augenrules: r=read, w=write, x=execute, a=attribute
Sep 22 09:04:24 hostxyz augenrules: -q <mount,subtree> make subtree part of mount point's dir watches
Sep 22 09:04:24 hostxyz augenrules: -r <rate> Set limit in messages/sec (0=none)
Sep 22 09:04:24 hostxyz augenrules: -R <file> read rules from file
Sep 22 09:04:24 hostxyz augenrules: -s Report status
Sep 22 09:04:24 hostxyz augenrules: -S syscall Build rule: syscall name or number
Sep 22 09:04:24 hostxyz augenrules: -t Trim directory watches
Sep 22 09:04:24 hostxyz augenrules: -v Version
Sep 22 09:04:24 hostxyz augenrules: -w <path> Insert watch at <path>
Sep 22 09:04:24 hostxyz augenrules: -W <path> Remove watch at <path>
Sep 22 09:04:24 hostxyz augenrules: --loginuid-immutable Make loginuids unchangeable once set
Sep 22 09:04:24 hostxyz augenrules: --reset-lost Reset the lost record counter
Sep 22 09:04:24 hostxyz systemd: Started Security Auditing Service.
The 'usage' of auditctl is invoked the one time in the 'try_load' function of augenrules. Manual executions of "/sbin/auditctl -R /etc/audit/audit.rules', results in essentially the same behavior on the terminal as found in /var/log/messages.
Should execution of augenrules seemingly error-out on invocation of auditctl like this?
Thank you.