Hello. Currently audit-2.4.3-r1 installs audit.rules to /etc/audit/ and /etc/audit/rules.d/ directories. auditd (via auditctl) uses only rules from /etc/audit. Rules from /etc/audit/rules.d can be processed by augenrules tool to generate a single rules file for auditd, which is placed in /etc/audit as well. Thus if one chooses to use augenrules, then rules installed in /etc/audit will be overwritten. Alternatively if one chooses not to use augenrules, then rules installed in /etc/audit/rules.d are there for nothing. Currently Gentoo initscript does not use augenrules, so nothing gets overwritten. However, it is not impossible to do so for user. Another problem is that comments inside rules file in /etc/audit/rules.d state that it is loaded by auditd, which is not true. Please provide a single rules file with a proper comment that would clearly distinct what rules are processed by auditctl and augenrules, what takes precedence, what gets overwritten and what not.
*** This bug has been marked as a duplicate of bug 529906 ***
(In reply to Brian Evans from comment #1) > > *** This bug has been marked as a duplicate of bug 529906 *** This is not a duplicate of #529906. Support for /etc/audit/rules.d/ is there already. At least sys-process/audit-2.4.3-r1 has it. This bug is about fixing the way this support was added in Gentoo. See my previous comment for several issues and possible ways to overcome them.