Informationaugenrules reads rules from files ending in .rules within the /etc/audit/rules.d directory. These rules are written to the main rule file: /etc/audit/audit.rules.
The USE_AUGENRULES= option in /etc/sysconfig/auditd. This option determines whether or not to call augenrules to compile the audit.rules file from *.rules file(s) within the /etc/audit/rules.d directory.
When setting this up, any existing rules need to be copied into a file ending in *.rules in the /etc/audit/rules.d directory or they will be lost when audit.rules gets overwritten.
Keeping audit rules in a .rules file or file(s) within the /etc/audit/rules.d/ directory allows for more fine grained control of the rules being added to auditd.
If a user configures rules in both audit.rules and rules.d, and augenrules is enabled, the file audit.rules will be override by augenrules
SolutionEdit the /etc/sysconfig/auditd file and edit or add the line:
While reading file names inside /etc/audit/rules.d, augenrules reads files starting with numeric first and then characters.