4.1.3.21 Ensure the running and on disk configuration is the same

Information

The Audit system have both on disk and running configuration. It is possible for these configuration settings to differ.

Note: Due to the limitations of augenrules and auditctl, it is not absolutely guaranteed that loading the rule sets via augenrules --load will result in all rules being loaded or even that the user will be informed if there was a problem loading the rules.

Rationale:

Configuration differences between what is currently running and what is on disk could cause unexpected problems or may give a false impression of compliance requirements.

Solution

If the rules are not aligned across all three () areas, run the following command to merge and load all rules:

# augenrules --load

Check if reboot is required.

if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then echo 'Reboot required to load rules'; fi

Additional Information:

Potential reboot required

If the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.

See Also

https://workbench.cisecurity.org/files/3807