How to Modify auditd Rules in Immutable Mode and Resolve the "The audit system is in immutable mode, no rules loaded"" Error
This document (000021038) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 12
Situation
When trying to load a new rule in auditd using the auditctl command, you may encounter an error stating that the audit system is in immutable mode and no rule changes are allowed. This is because auditd is set to immutable mode, which prevents adding or modifying rules.
# auditctl -a always,exit -F dir=/home -F perm=war -k file_del
The audit system is in immutable mode, no rule changes allowed
Resolution
Follow the steps outlined in the Diagnostic Steps section for assistance with the issue.
- To add a permanent auditd rule, you can follow these steps:
- Create a rule file under /etc/audit/rules.d/ directory, and reboot the server.
- During the reboot, the auditd rules will be loaded, and the rule with the immutable flag should be set as the last rule.
# auditctl -a always,exit -F dir=/home -F perm=war -k file_del
The audit system is in immutable mode, no rule changes allowed
# auditctl -l
No rules
# vi /etc/audit/rules.d/audit.rules
<add rule>
# grep file_del /etc/audit/rules.d/audit.rules
-a always,exit -F dir=/home -F perm=war -k file_del
# reboot
<reboot>
# auditctl -l
-a always,exit -F dir=/home -F perm=war -k file_del
#
- If you want to disable the immutable flag and add a rule at runtime, follow these steps:
- locate the file where the immutable flag is set under /etc/audit/rules.d/ directory, delete the entry, reboot the server, and then add the runtime rule.
# auditctl -a always,exit -F dir=/home -F perm=war -k file_del The audit system is in immutable mode, no rule changes allowed # auditctl -l No rules # grep -r "\-e 2" /etc/audit/rules.d/* /etc/audit/rules.d/audit.rules:-e 2 # vi /etc/audit/rules.d/audit.rules <remove entry> # grep -r "\-e 2" /etc/audit/rules.d/* # # reboot <reboot> # auditctl -l No rules # auditctl --a always,exit -F dir=/home -F perm=war -k file_del # auditctl -l -w /tmp/test -p rwa -k monitor-test #
Cause
From man auditctl
-e [0..2]
Set enabled flag. When 0 is passed, this can be used to temporarily disable auditing.
When 1 is passed as an argument, it will enable auditing.
To lock the audit configuration so that it can’t be changed, pass a 2 as the argument.
Locking the configuration is intended to be the last command in audit.rules for anyone wishing this feature to be active.
Any attempt to change the configuration in this mode will be audited and denied.
The configuration can only be changed by rebooting the machine.
Additional Information
- A rule has been configured under the directory /etc/audit/rules.d/ to set the immutable flag permanently.
# grep "\-e 2" /etc/audit/rules.d/*
/etc/audit/rules.d/audit.rules:-e 2
/etc/audit/rules.d/audit.rules-04042023:-e 2
/etc/audit/rules.d/audit.rules.bkp:-e 2
/etc/audit/rules.d/audit.rules.bkp_2022-10-23:-e 2
/etc/audit/rules.d/audit.rules.bkp_2022-11-25:-e 2
In the above example, the immutable flag was included in the file named /etc/audit/rules.d/audit.rules.
- The immutable flag has been configured through the command line.
# auditctl -s
enabled 2
failure 1
pid 30934
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021038
- Creation Date: 10-Apr-2023
- Modified Date:11-Apr-2023
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
