The /etc/audit/audit.rules file is controlled by augenrules and the rules files in /etc/audit/rules.d/

However, the path is hardcoded and not overridable.

On RHEL 7 systems, we should write to /etc/audit/rules.d/audit.rules

Big bummer. Confirming above that with (at least) 1.0.1 that this does not work on RHEL 7.x. The following writes out /etc/audit/audit.rules with the CIS rules, then ExecStartPost=-/sbin/augenrules --load in the systemd service unit file trashes them:

include_recipe 'auditd::default'

auditd_ruleset 'cis.rules' do
  cookbook 'auditd'
end

The fix is to write the rules out to (as @jschripsema has said) /etc/audit/rules.d/something

Here's a quick workaround for those hitting this issue before a fix happens. Change your source in the template block and/or the cookbook appropriately.

include_recipe 'auditd::default'

# See: https://github.com/chef-cookbooks/auditd/issues/30
#
# The community cookbook does not have proper support for
# RHEL/CentOS 7.x yet, so we can't use this:
#
# auditd_ruleset 'cis.rules' do
#   cookbook 'auditd'
# end
#
# Instead, we just duplicate the `auditd_ruleset` provider
# code from the cookbook and modify it for our immediate
# needs on 7.x. We can still reference the auditd cookbook's
# template for rules' template source files though.

template '/etc/audit/rules.d/audit.rules' do
  only_if { node['platform_family'] == 'rhel' && node['platform_version'].to_i >= 7 }
  source 'cis.rules.erb'
  cookbook 'auditd'
  notifies :restart, 'service[auditd]'
end

If someone wants to dig in on getting proper cross platform support in the updated custom resources we'd gladly merge that in

@tas50 -- I got you chief

Confirmed that #33 fixes this for me. Thanks!