Hello, On Friday, February 10, 2017 4:52:13 PM EST Tom Hall wrote: It was made that way to ensure that the security assumptions are exactly as expected. Meaning no one has replaced the real configuration with a weaker one somewhere else on disk. And since auditd is covered by selinux policy, moving the configuration also means policy label problems. So, this is kind of a strong hint to leave it where its supposed to be to avoid problems. In the old days, all it took was a simple edit to /etc/sysconfig/auditd to fix. But with systemd, it is a bit more work to copy the service file to the right place before editing. -Steve