You are not logged in.
Hi everyone,
I’m trying to get auditd (version: 4.1.2) running reliably on my Arch Linux system. I’m using systemd-boot with UKI and an encrypted root (LUKS). My goal is a consistent audit setup across Linux systems: rules should be placed under /etc/audit/rules.d/ and loaded by auditd.
Current setup and steps:
1. Kernel parameters
In /etc/kernel/cmdline I have
cryptdevice=UUID=<ROOT-UUID>:cryptroot root=/dev/mapper/cryptroot rw quiet apparmor=1 security=apparmor audit=1 audit_backlog_limit=8192After reboot, /proc/cmdline shows the correct parameters.
auditctl -s shows enabled 1 and backlog_limit 8192.
System boots into the GUI normally after entering the LUKS password.
I set these cause auditctl -s showed enabled 0 before, but the systemd service was running then.
2. Audit rules
All rules are under /etc/audit/rules.d/.
auditctl -l shows “No rules”, and augenrules --load reports “No change”.
3. auditd service
By default, auditd crashes on startup (Unable to set initial audit startup state to 'enable'), after is set the Kernel vars.
I created a systemd drop-in at /etc/systemd/system/auditd.service.d/override.conf, without succes:
[Service]
ExecStart=
ExecStart=/usr/sbin/auditd -n4. auditd.conf
Added set_enforce_config = no so auditd doesn’t try to re-enable kernel auditing, but this option is not available. No success.
Problem
Despite correct boot parameters and the override, auditd still occasionally crashes or fails to start properly.
Kernel auditing is already active (audit=1), but rules aren’t loaded.
Can anybody help me out here how i can use Auditd with my setup? What am i doing wrong?
Best regards
EDIT
Solution was that my rules i set under rules.d where to complex. So i keep the rules simple and it works now without setting Kernel Parameters.
Last edited by Pampa_Party (2026-01-09 12:03:16)
Offline