After many experiments, I discovered an inconspicuous syntax error in
audit.rules
Here are two seemingly identical lines:
-a exit,always -F arch=b64 -F euid=0 -S execve –k root_actions
-a exit,always -F arch=b64 -F euid=0 -S execve -k root_actions
Their only difference is that in the first line
Public bug reported:
I found that when changing the Rsyslog configuration
(/etc/rsyslog.d/50-default.conf) an Auditd failure occurs with distinctive
strings in syslog:
ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
.
There was an error in line 6 of