"systemctl restart auditd.service" will not reload audit rules

This document (000020846) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server 15 SP5

Situation

auditd is the Linux Audit daemon. When adding a new rule, as described below, systemctl restart auditd.service will not reload audit rules. Example:

sles15-sp4:~ # cat /etc/audit/rules.d/audit.rules | egrep -v '^#|^$'
-D
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k passwd_changes
-w /sbin/insmod -p x -k module_insertion

Restarting the service:

sles15-sp4:~ # systemctl restart auditd.service

Results:

sles15-sp4:~ # auditctl -l
No rules

Resolution

The issue is now fixed with audit-3.0.6-150400.4.13.1.

Cause

Dependancy between auditd.service and augenrules.service.

Additional Information

As a workaround, the below procedure can be followed.

1. Make a copy of the existing systemd auditd.service file

cp /usr/lib/systemd/system/auditd.service /etc/systemd/system

2. Edit /etc/systemd/system/auditd.service with the following changes:

a. Comment out Requires=augenrules.service
b. Enable the below parameters:

ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
ExecStartPost=-/sbin/augenrules --load

3. Finally, restart the service and verify if the rules are being properly loaded with auditctl -l

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.