InformationThe Audit system have both on disk and running configuration. It is possible for these configuration settings to differ.
Note: Due to the limitations of augenrules and auditctl, it is not absolutely guaranteed that loading the rule sets via augenrules --load will result in all rules being loaded or even that the user will be informed if there was a problem loading the rules.
Configuration differences between what is currently running and what is on disk could cause unexpected problems or may give a false impression of compliance requirements.
SolutionIf the rules are not aligned across all three () areas, run the following command to merge and load all rules:
# augenrules --load
Check if reboot is required.
if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then echo 'Reboot required to load rules'; fi
Potential reboot required
If the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.