Re: Load Rules on boot in audit framework?
Reply #3 –
augenrules should be run before auditd starts, it doesn't seem to happen in OpenRC now either, it used to work perhaps a year or so ago but I haven't done anything with audit for quite a while now. Perhaps the init scripts have changed. For OpenRC they are taken from Gentoo it seems.
For runit something like this used to work, but probably would need adapting a bit here:
#! /bin/sh
# Enable augenrules instead of auditctl by defining AUGENRULES=1 in /etc/sv/auditd/conf
[ -r conf ] && . ./conf
if [ "$AUGENRULES" ]
then
/usr/bin/augenrules --load >/dev/null 2>&1
else
[ -r "${OPT_FILE:=/etc/audit/audit.rules}" ] && /usr/bin/auditctl "${AUDITCTL_OPTS:=-R}" "${OPT_FILE:=/etc/audit/audit.rules}" >/dev/null 2>&1
fi
exec /usr/bin/auditd "${AUDITD_OPTS:=-n}"
Or you could make another service for augenrules that runs before auditd.