What is the proper way to enable auditd and rules with Project Atomic?
- installed audit-2.6.5-3.el7.x86_64 (rpm-ostree pkg-add audit -r)
Whenever I had a rule(s) like the following:
-w /usr/bin/docker -k docker
-w /etc/docker -k docker
-w /etc/sysconfig/docker -k docker
I'll get a log error message "There was an error in line 5 of /etc/audit/audit.rules"
if I remove all my rules, the logs will state the following:
systemd[1]: Starting Security Auditing Service...
systemd[1]: auditd.service: main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: Failed to start Security Auditing Service.
systemd[1]: Unit auditd.service entered failed state.
systemd[1]: auditd.service failed.
Any thoughts?
Thanks.
Steve