Auditd service restart overrides changes made to /etc/audit/audit.rules
Environment
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- audit-libs-2.3.7-5
Issue
When I try to update /etc/audit/audit.rules, auditd service restart causes the new rules I'm trying to add to be replaced by the initial ruleset.
Resolution
- Audit rules files should be placed in /etc/audit/rules.d
- File names should end with ".rules"
Alternatively
-
Red Hat Enterprise Linux 6
- Set USE_AUGENRULES=no in /etc/sysconfig/auditd
- Restart the auditd service: service auditd restart
-
Red Hat Enterprise Linux 7
- Copy file /usr/lib/systemd/system/auditd.service to /etc/systemd/system/auditd.service
- Edit /etc/systemd/system/auditd.service according to the comments in the file
## To not use augenrules, copy this file to /etc/systemd/system/auditd.service ## and comment/delete the next line and uncomment the auditctl line. ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ ExecStartPost=-/sbin/augenrules --load #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
- Reload systemd daemon to reload changes made in auditd service unit file:
$ systemctl daemon-reload
- Restart the auditd service: service auditd restart
Root Cause
- With audit-libs-2.3.7-5,the augenrules utility support has been added to the audit packages.
- From augenrules man page
augenrules is a script that merges all component audit rules files, found in the audit rules directory, /etc/audit/rules.d, placing the merged file in
/etc/audit/audit.rules. Component audit rule files, must end in .rules in order to be processed. All other files in /etc/audit/rules.d are ignored.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments