auditd.service or augenrules.sevice fails to load rules for users home directories

This document (000020912) is provided subject to the disclaimer at the end of this document.


SUSE Linux Enterprise Server 15 SP4


Scenario 1:

Using augenrules and adding a rule to audit a users home directory /etc/audit/rules.d/audit.rules:

-w /root/.ssh/authorized_keys -p w -k access

Example error messages shown:

Jan 05 05:18:17 linux augenrules[6227]: There was an error in line 5 of /etc/audit/audit.rules
Jan 05 05:18:17 linux augenrules[6227]: No rules
Jan 05 05:18:17 linux systemd[1]: augenrules.service: Main process exited, code=exited, status=1/FAILURE
Jan 05 05:18:17 linux systemd[1]: augenrules.service: Failed with result 'exit-code'.
Jan 05 05:18:17 linux systemd[1]: Failed to start auditd rules generation.


Scenario 2:

Not using augenrules.service and enabling in auditd.service ExecStartPost to run auditctl to load rules.

## To not use augenrules: copy this file to /etc/systemd/system/auditd.service,
## uncomment the next line, and comment the Requires=augenrules.service above.
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules

Example error messages shown:

Jan 05 05:20:22 linux auditd[6247]: Init complete, auditd 3.0.6 listening for events (startup state enable)
Jan 05 05:20:22 linux auditctl[6250]: Error sending add rule data request (No such file or directory)
Jan 05 05:20:22 linux auditctl[6250]: There was an error in line 5 of /etc/audit/audit.rules
Jan 05 05:20:22 linux auditctl[6250]: No rules



To enable the service being able to at least read users home directories run the following command:
# systemctl edit augenrules.service 

and add ProtectHome=read-only within the Service section:

Additionally, if in Scenario 2, make sure the line 'ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules' is commented within the Service section:
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules

Note: Be aware that this modification lowers the security of auditd. If the service is compromised it can read all users home directories.


In both scenarios, the cause is that, efforts to hardening systemd add  ProtectHome=true to the service unit file, which protects user homes from being accessible for the processes of the service:

### Security Settings ###
# added automatically, for details please see



This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020912
  • Creation Date: 05-Jan-2023
  • Modified Date:11-Jan-2023
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center