From mboxrd@z Thu Jan  1 00:00:00 1970
From: "warron.french" <warron.french@gmail.com>
Subject: rules.d on RHEL6
Date: Wed, 12 Apr 2017 10:18:55 -0400
Message-ID: <CAJdJdQnBFGxYuhptoBRY6xO2QoC2U9dLG8P-1bi+uSqs7x87kQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0968016975899050937=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx03.extmail.prod.ext.phx2.redhat.com
	[10.5.110.27])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id A878D78A26
	for <linux-audit@redhat.com>; Wed, 12 Apr 2017 14:18:57 +0000 (UTC)
Received: from mail-qk0-f179.google.com (mail-qk0-f179.google.com
	[209.85.220.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id A2F948FAA9
	for <linux-audit@redhat.com>; Wed, 12 Apr 2017 14:18:56 +0000 (UTC)
Received: by mail-qk0-f179.google.com with SMTP id p68so24315636qke.1
	for <linux-audit@redhat.com>; Wed, 12 Apr 2017 07:18:56 -0700 (PDT)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

--===============0968016975899050937==
Content-Type: multipart/alternative; boundary=001a113b086a78a994054cf8e3b4

--001a113b086a78a994054cf8e3b4
Content-Type: text/plain; charset=UTF-8

It appears that this directory is not used at all on RHEL6.

I know I have mentioned this before; but it's true.  If I *move* my copy of
audit.rules from /etc/audit into the subdirectory rules.d and restart
audit; the audit.rules file is not recopied/regenerated or whatever by the
auditd.

This behavior is different from RHEL7; where if you delete the
/etc/audit/audit.rules file or move it to /etc/audit/rules.d/audit.rules;
the auditd functions as I expect.


Can someone please correct my understanding?  Is the /etc/audit/rules.d
directory not supposed to be usable in RHEL6; but is in RHEL7?
--------------------------
Warron French

--001a113b086a78a994054cf8e3b4
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div><div>It appears that this directory is not used =
at all on RHEL6.<br><br></div>I know I have mentioned this before; but it&#=
39;s true.=C2=A0 If I <b>move</b> my copy of audit.rules from /etc/audit in=
to the subdirectory rules.d and restart audit; the audit.rules file is not =
recopied/regenerated or whatever by the auditd.<br><br></div>This behavior =
is different from RHEL7; where if you delete the /etc/audit/audit.rules fil=
e or move it to /etc/audit/rules.d/audit.rules; the auditd functions as I e=
xpect.<br><br><br></div>Can someone please correct my understanding?=C2=A0 =
Is the /etc/audit/rules.d directory not supposed to be usable in RHEL6; but=
 is in RHEL7?<br clear=3D"all"><div><div><div><div><div><div class=3D"gmail=
_signature" data-smartmail=3D"gmail_signature"><div dir=3D"ltr">-----------=
---------------<br><font color=3D"#000099" size=3D"4">Warron French<br><fon=
t size=3D"4"><font size=3D"4"><font size=3D"4"><br></font></font></font></f=
ont></div></div></div>
</div></div></div></div></div>

--001a113b086a78a994054cf8e3b4--


--===============0968016975899050937==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0968016975899050937==--