I am using the nispom.rules and stig.rules at /etc/audit.rules to try and audit my 10.1 system. First question would be these files state to place at /etc/audit/audit.rules (which I think is for SuSE 11 as I have gotten audit to work great on those). Should these same rules work for SuSE 10 as long as I place at /etc/audit.rules? They look the same format.

So far I have tried to edit /etc/sysconfig/auditd key AUDITD_DISABLE_CONTEXTS=YES and changed to NO, added the nispom.rules file to /etc/audit.rules and did a reboot.

auditctl -s returns: "enabled=1 flag=1 pid=3598 rate_limit=0 backlog_limit=64 lost=0 backlog=0"

auditctl -l returns: "no rules. File System watches not supported"

The audit.log only grows right after boot then stops (it appears to be the same config information logged each auditd reboot).

Any ideas on what to try and get these rules either loaded properly or auditing? Again I would assume it is the rule set as auditctl -l claims "no rules", but I am not sure why.


Thank You

Duplicate thread of https://www.linuxquestions.org/quest...-a-4175559665/ closed. Please do not do that again.