Persisting /etc/securetty Contents

STIG V-ID 38494 specifies that serial console devices should be ommitted from /etc/securetty. This is easily enough accomplished in any given CM framework by scanning the file an nuking any ttyS* entries. Unfortunately, when you reboot an EL6 system, upstart puts any GRUB-specified console entries back.

I've tried creating an /etc/login/serial.override file and ommitting the /sbin/securetty and fedora.serial-console-available entries. Similarly tried creating an /etc/init/ttyS0.conf line with those entry points ommitted. In either case, after reboot, ttyS0 is placed back into /etc/securetty.

Short of nuking the offending ttyS* entries and then doing a chattr -i /etc/securetty, is there any better way to prevent the entries from coming back? I'd really rather avoid the chattr work-around.