No FANOTIFY event seen in the audit log despite fapolicyd blocking operations

Solution Verified - Updated 10 Sept 2025

Environment

Red Hat Enterprise Linux 8 and 9
- fapolicyd

Issue

Even though fapolicyd is known to block operations, no FANOTIFY event is seen in the audit log

Resolution

This is expected behavior when no audit rule is set at all.
This is because in such case, the audit subsystem is disabled in the kernel.

The fapolicyd(8) manpage has some statement about this:

   The default rules will generate audit events whenever there is a denial. NOTE: you  must  have  at  least  1
   audit  rule  loaded  for the audit system to create the full FANOTIFY event. It doesn't matter which rule is
   loaded. [...]

To ensure FANOTIFY events are recorded in the audit log, make sure to have some audit rule, e.g.:
```
-w /etc/shadow -p w
```
The above audit rule will additionally enable "full-path" auditing, which is very appreciated when checking the audit log using ausearch command.
After adding the rule to /etc/audit/rules.d/audit.rules or some other file, don't forget to restart the auditd service:
```
# service auditd restart
```

SBR

Services

Product(s)

Red Hat Enterprise Linux

Components

Category

Troubleshoot

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.