Details
augenrules reads rules from files ending in .rules within the /etc/audit/rules.d directory. These rules are written to the main rule file: /etc/audit/audit.rules.
The USE_AUGENRULES= option in /etc/sysconfig/auditd. This option determines whether or not to call augenrules to compile the audit.rules file from *.rules file(s) within the /etc/audit/rules.d directory.
When setting this up, any existing rules need to be copied into a file ending in *.rules in the /etc/audit/rules.d directory or they will be lost when audit.rules gets overwritten.
Rationale:
Keeping audit rules in a .rules file or file(s) within the /etc/audit/rules.d/ directory allows for more fine grained control of the rules being added to auditd.
Impact:
If a user configures rules in both audit.rules and rules.d, and augenrules is enabled, the file audit.rules will be override by augenrules
Solution
Edit the /etc/sysconfig/auditd file and edit or add the line:
USE_AUGENRULES=’yes’
Default Value:
USE_AUGENRULES=’no’
Additional Information:
While reading file names inside /etc/audit/rules.d, augenrules reads files starting with numeric first and then characters.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.