On Wednesday, October 14, 2020 2:30:48 PM EDT warron.french wrote: > Hello, I just wanted to confirm for my memory that if I wanted to confirm > that the auditd process running on my system was configured correctly and > intended to be > *immutable (*setting *-e 2*) I would do so easily by executing: > > *auditctl -s* > > When I execute that command I get back in the results that have: > *enabled 1* > *loginuid_immutable 0 unlocked* > *among a few other lines.* > > Shouldn't I actually see *enabled 2*?
That's what I get. # auditctl -s enabled 2 > I have in one of our .rules files under /etc/audit/rules.d/ the syntax > "-e 2". I'd copy 99-finalize.rules to rules.d and uncomment the only rule in the file. It has to be last. Although I have no idea why what you have isn't working unless its not getting picked up by augenrules. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
