I need to update /etc/audit/audit.rules. I would replace the file restart the service, but I found in the log a call to augenrules during initial startup of the machine.
Apart from the initial startup, is there any time when augenrules runs automatically?
Best Answer
The answer is in
/etc/systemd/system/multi-user.target.wants/auditd.service
So starting the service calls augenrules. Note that the service is only started on server startup.