Sample Header Ad - 728x90

audit rule doesn't load via systemctl restart auditd

0 votes
1 answer
2718 views
audit
I was trying to see what was enabling ipv4 forwarding in file /proc/sys/net/ipv4/ip_forward (I've discovered that this was docker, but I'd still like to understand my auditd issue) So I decided to make an audit rule: 
-w /proc/sys/net/ipv4/ip_forward -p wa -k ip4forward
The issue is that the rule only loads if I manually issue: 
augenrules --load
A simple 
restart auditd
will clear this rule. Meaning that during boot, this will get wiped. My /etc/audit/rules.d/audit.rules file contents (only rule file in dir): 
-D

-b 8192

--backlog_wait_time 60000

-f 1

-w /proc/sys/net/ipv4/ip_forward -p wa -k ip4forward
-w /etc/fstab -p rwa -k fstab
Example of restarting auditd: 
$ sudo systemctl restart auditd
$ sudo auditctl -l
-w /etc/fstab -p rwa -k fstab #<- Only this rule loads
Example of running augenrules: 
$ sudo augenrules --load
/usr/sbin/augenrules: No change
No rules
enabled 1
failure 1
pid 3116
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 3116
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 3116
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 3116
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 3116
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0

$ sudo auditctl -l
-w /proc/sys/net/ipv4/ip_forward -p wa -k ip4forward
-w /etc/fstab -p rwa -k fstab
$ sudo systemctl status auditd
● auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-12-11 16:42:29 EST; 6min ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation 
    Process: 3114 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
    Process: 3119 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
   Main PID: 3116 (auditd)
      Tasks: 2 (limit: 9346)
     Memory: 548.0K
        CPU: 125ms
     CGroup: /system.slice/auditd.service
             └─3116 /sbin/auditd

Dec 11 16:42:29 ubuntu augenrules: enabled 1
Dec 11 16:42:29 ubuntu augenrules: failure 1
Dec 11 16:42:29 ubuntu augenrules: pid 3116
Dec 11 16:42:29 ubuntu augenrules: rate_limit 0
Dec 11 16:42:29 ubuntu augenrules: backlog_limit 8192
Dec 11 16:42:29 ubuntu augenrules: lost 0
Dec 11 16:42:29 ubuntu augenrules: backlog 0
Dec 11 16:42:29 ubuntu augenrules: backlog_wait_time 60000
Dec 11 16:42:29 ubuntu augenrules: backlog_wait_time_actual 0
Dec 11 16:42:29 ubuntu systemd: Started Security Auditing Service.
Running Ubuntu 22.04 with auditd version 1:3.0.7-1build1 Any ideas? Thanks!
Asked by wabbajack001 (91 rep)
Dec 11, 2023, 09:55 PM
Last activity: Jun 16, 2025, 04:03 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "audit"
Footer Ad - 728x90