Debian 9 /etc/audit/audit.rules issues

Question

Debian 9 /etc/audit/audit.rules issues

nicutor opened this issue 6 years ago · comments

Nicu B commented 6 years ago

Hi,

/etc/audit/audit.rules file is overridden on each run on debian 9.

Can you please check and fix?

Thank you!

Eric Heydrick · Answer 1 · Fri Jul 13 2018 06:15:58 GMT+0800 (China Standard Time)

There's a couple issues with Debian 9 / Ubuntu 18.04. The big issue is that auditd now compiles the rules in /etc/audit/rules.d to /etc/audit/audit.rules and any rules placed in /etc/audit/audit.rules directly will be overwritten. Previous versions had this behavior disabled in /etc/default/auditd - USE_AUGENRULES="no".

Another issue is that the example rulesets are now located in /usr/share/doc/auditd/examples/rules and have different names. e.g. the stig rules are now 30-stig.rules.gz.

Working on a fix.

Eric Heydrick · Answer 2 · Fri Jul 13 2018 07:32:33 GMT+0800 (China Standard Time)

Created PR #39 to address the first issue.