Linux Commands and Scripts

Audit Rule Configuration not Reflected – How to troubleshoot

We have added new audit rules to the configuration file /etc/audit/rules.d/audit.rules as shown below:

# vi /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -S clock_settime -k time-change
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale

But, these configurations does not reflected.

# auditctl -l
No rules

Note: On CentOS/RHEL 6, the configuration file is /etc/audit/audit.rules instead of /etc/audit/rules.d/audit.rules.


1. The first thing to check here is the rule’s syntax and correct if it is wrong. For example, you can manually run the rule you have configured in the configuration file. You should see the syntax error on the command line when you run the command. For example:

# auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -S clock_settime -k time-change
Syscall name unknown: stime
The audit system is in immutable mode, no rule changes allowed

2. Correct the rule argument “-S time” and restart the system. The restart is required to disable the auditd immutable mode.

3. Post reboot, all of the audit rule will reflect.

# auditctl -l
-a always,exit -F arch=x86_64 -S adjtimex,settimeofday,time,clock_settime -F key=time-change
-a always,exit -F arch=x86_64 -S sethostname,setdomainname -F key=system-locale

If you set the incorrect syntax in /etc/audit/rules.d/audit.rules configuration file, auditd stop the rule registration. So, all of the rules after incorrect syntax line, will not reflect.

Today, we’ve learned how our Support Engineers troubleshoot audit rule configuration.

[Need assistance to fix this error or install tools? We’ll help you.]

Related Articles