4.1.1.2 Ensure augenrules is enabled

Information

augenrules reads rules from files ending in .rules within the /etc/audit/rules.d directory. These rules are written to the main rule file: /etc/audit/audit.rules.

The USE_AUGENRULES= option in /etc/sysconfig/auditd. This option determines whether or not to call augenrules to compile the audit.rules file from *.rules file(s) within the /etc/audit/rules.d directory.

When setting this up, any existing rules need to be copied into a file ending in *.rules in the /etc/audit/rules.d directory or they will be lost when audit.rules gets overwritten.

Rationale:

Keeping audit rules in a .rules file or file(s) within the /etc/audit/rules.d/ directory allows for more fine grained control of the rules being added to auditd.

Impact:

If a user configures rules in both audit.rules and rules.d, and augenrules is enabled, the file audit.rules will be override by augenrules

Solution

Edit the /etc/sysconfig/auditd file and edit or add the line:

USE_AUGENRULES='yes'




Default Value:

USE_AUGENRULES='no'

Additional Information:

While reading file names inside /etc/audit/rules.d, augenrules reads files starting with numeric first and then characters.

See Also

https://workbench.cisecurity.org/files/3148

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-12, CSCv7|6.2

Plugin: Unix

Control ID: 2b3a3c64151f3057989b9e778e3694037b247e027bb228ee9b1ae30ef255cf1e