On CentOS 7, the audit system follows a specific configuration pattern. The main configuration file /etc/audit/audit.rules is actually generated from rules stored in /etc/audit/rules.d/. This is clearly indicated by the comment at the top of the file:
## This file is automatically generated from /etc/audit/rules.d
Instead of directly editing /etc/audit/audit.rules, you should:
- Create or modify files in
/etc/audit/rules.d/ - Use the proper service command to regenerate the rules
Here's the correct sequence of commands:
# Edit or create your custom rules file
sudo vi /etc/audit/rules.d/my-custom.rules
# Reload the auditd service to regenerate audit.rules
sudo service auditd restart
Let's say you want to monitor changes to /etc/passwd. Create a new file:
sudo vi /etc/audit/rules.d/file-monitoring.rules
Add these rules:
# Monitor /etc/passwd for writes and attribute changes
-w /etc/passwd -p wa -k passwd_changes
Then apply them:
sudo service auditd restart
sudo auditctl -l # Verify the rules are loaded
- Files in
rules.d/are processed in alphabetical order - The
audit.rulesfile is overwritten on service restart - Use
auditctl -lto verify currently loaded rules
If your rules aren't being applied:
# Check for syntax errors
sudo auditctl -R /etc/audit/rules.d/your-file.rules
# Verify the audit service status
sudo systemctl status auditd
# Check logs for errors
sudo tail -f /var/log/audit/audit.log
- Keep different types of rules in separate files (e.g.,
file-monitoring.rules,process-monitoring.rules) - Document your rules with comments
- Test new rules with
auditctl -Rbefore service restart - Backup your custom rules files
In CentOS 7, the audit system uses a modular approach for managing rules. The primary configuration file /etc/audit/audit.rules is automatically generated from files in /etc/audit/rules.d/. This is clearly indicated by the comment at the top of the file:
## This file is automatically generated from /etc/audit/rules.d
When you need to add or modify audit rules, you should:
- Create or edit files in
/etc/audit/rules.d/ - Use the proper service command to apply changes
Here's how to properly add a new rule:
# Example: Add a rule to monitor /etc/passwd
echo "-w /etc/passwd -p wa -k identity" >> /etc/audit/rules.d/my-custom.rules
After modifying rules in the rules.d directory, you need to restart the auditd service:
# Reload the audit rules
service auditd restart
# Verify the rules were loaded
auditctl -l
This will automatically regenerate /etc/audit/audit.rules with all rules from the rules.d directory.
Issue: Rules don't persist after reboot
Solution: Ensure your custom rules are in /etc/audit/rules.d/ with proper permissions (root:root, 640)
Issue: Rules aren't appearing in audit.rules
Solution: Check for syntax errors in your rule files using:
augenrules --check
For complex environments, you might want to organize rules into multiple files:
# Contents of /etc/audit/rules.d/10-base.rules
## Default rules
-D
-b 8192
# Contents of /etc/audit/rules.d/30-file-access.rules
## File access monitoring
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
The files will be processed in alphabetical order, so naming them with numbers helps maintain order.
If rules aren't loading as expected, check the auditd logs:
tail -f /var/log/audit/audit.log
Or enable debug mode temporarily:
service auditd stop
auditd -d