We have added new audit rules to the configuration file /etc/audit/rules.d/audit.rules as shown below:
# vi /etc/audit/rules.d/audit.rules -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -S clock_settime -k time-change -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
But, these configurations does not reflected.
# auditctl -l No rules
1. The first thing to check here is the rule’s syntax and correct if it is wrong. For example, you can manually run the rule you have configured in the configuration file. You should see the syntax error on the command line when you run the command. For example:
# auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -S clock_settime -k time-change Syscall name unknown: stime The audit system is in immutable mode, no rule changes allowed
2. Correct the rule argument “-S time” and restart the system. The restart is required to disable the auditd immutable mode.
3. Post reboot, all of the audit rule will reflect.
# auditctl -l -a always,exit -F arch=x86_64 -S adjtimex,settimeofday,time,clock_settime -F key=time-change -a always,exit -F arch=x86_64 -S sethostname,setdomainname -F key=system-locale
If you set the incorrect syntax in /etc/audit/rules.d/audit.rules configuration file, auditd stop the rule registration. So, all of the rules after incorrect syntax line, will not reflect.