After much troubleshooting of a customer issue, where he wasn't able to disable the sedipatch plugin, it appears that we found out the reason was the customer had created a backup of sedispatch.conf with naming sedispatch.conf_<date>, which caused auditd to process the file anyway, despite not having a .conf extension.

This behavior is documented in the auditd-plugins(5) man page but looks totally counter-intuitive and somehow breaks the common standard naming rules used for every other component shipped on RHEL (e.g. systemd, httpd, selinux, dracut and many more).

It would be great to avoid this odd behavior and stick to common habits.