audit.rules keeps going blank
I added the stig.rules config file from /usr/share/doc/audit-version/stig.rules to /etc/audit/audit.rules, and audit.rules was blank a day later.
How do I keep the rules persistent across reboots?
I followed the guidance in this link, to no avail -
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Defining_Audit_Rules_and_Controls_in_the_audit.rules_file.html
PG
Responses
Paul,
I would expect this to remain persistent across reboots without any configuration changes (this is my experience).
The only script that seems to reference audit.rules in /etc/init.d is the auditd service, and it appears to check if audit.rules exists and loads if it does:
test -f /etc/audit/audit.rules && /sbin/auditctl -R /etc/audit/audit.rules >/dev/null
Do you have any other scripts that reference the audit.rules files in /etc/init.d?
grep audit.rules -R /etc/init.d/
Do you have any other system management software running on the server such as Puppet/Chef that is managing the /etc/audit directory?
Paul,
Apologies, I assumed RHEL 6 so what i've pasted won't be of much use. When I get a minute i'll take a look on a RHEL 7 box and see what I come up with.
Paul,
It looks like /etc/audit/audit.rules is automatically generated using the contents of /etc/audit/rules.d directory on boot.
Move your custom audit.rules file into /etc/audit/rules.d/audit.rules and then on boot it should be used to generate the /etc/audit/audit.rules file (ie. /etc/audit/audit.rules is regenerated on each boot).
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.