4.1.3.21 Ensure the running and on disk configuration is the same

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The Audit system have both on disk and running configuration. It is possible for these configuration settings to differ.

Note: Due to the limitations of augenrules and auditctl, it is not absolutely guaranteed that loading the rule sets via augenrules --load will result in all rules being loaded or even that the user will be informed if there was a problem loading the rules.

Rationale:

Configuration differences between what is currently running and what is on disk could cause unexpected problems or may give a false impression of compliance requirements.

Solution

If the rules are not aligned across all three () areas, run the following command to merge and load all rules:

# augenrules --load

Check if reboot is required.

if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then echo 'Reboot required to load rules'; fi

Additional Information:

Potential reboot required

If the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.

See Also

https://workbench.cisecurity.org/files/3807