-
Bug
-
Resolution: Won't Do
-
Undefined
-
None
-
rhel-9.6
-
None
-
No
-
None
-
rhel-security-special-projects
-
ssg_security
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
auditd service keeps running without any issues even when invalid audit rules are configured for the system.
Please provide the package NVR for which the bug is seen:
audit-3.1.5-4.el9
How reproducible is this bug?
deterministic
Steps to reproduce
- Configure invalid audit rules in /etc/audit/audit.rules or in /etc/audit/rules.d
- Restart auditd (run "service auditd restart")
- Run "systemctl status auditd"
Expected results
auditd service fails or errors as it wasn't able to load all audit rules successfully.
Actual results
Even though "augenrules --load" failed the auditd service keeps running.
# systemctl status auditd ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled) Active: active (running) since Tue 2025-05-06 11:01:19 EDT; 35min ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 877 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Process: 903 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE) Main PID: 900 (auditd) Tasks: 2 (limit: 25656) Memory: 7.1M CPU: 59ms CGroup: /system.slice/auditd.service └─900 /sbin/auditd
