Overwritten auditd rules in PCI DSS environement

Question

I'm setting up a PCI DSS environment and I'm facing the next problem. When installing de OS (CentOS 7.3 Minimal) I've choosen the profile "PCI DSS".

When I was checkin the rules applied on /etc/audit/audit.rules there was an enourmous number of rules, and I was just interesting on keeping 2 or 3 of them.

So I've modified the file containing the rules and reload them. Till this point no problem.

What I'm facing is that every time I restart auditd.service my custom rules are overwrittent with the ones imposed by PCI DSS profile.

I'll try also to create a file with my custom rules, let's gonna say /etc/audit/audit-custom.rules. I can import the rules with the command auditctl -R /etc/audit/audit-custom.rules and in that moment if I execute auditctl -l I have just the rules defined in my custom.rules file.

The problem is, when I restart auditd service, it takes everytime the rules defined in /etc/audit/audit.rules. Even if I erase all the rules and put my custom rules inside default rules config file, after a restart of the service, auditd overwrites my custom rules

Anyone has any clue on how to prevent this behavior ??

Thanks in advance for your help

Answer 1

OK, so finally after a little research this weekend I've found the answer.

If you want to evitate that auditd overwrites your custom rules with the contraints imposed by security profile this is the procedure

1. Edit the next file /etc/systemd/system/multi-user.target.wants/auditd.service and comment the following line

   # ExecStartPost=-/sbin/augenrules --load

2. Next you have to reload systemctl daemon :

   systemctl daemon-reload

3. Now you'll be able to import your rules with :

   auditctl -R /etc/audit/audit-custom.rules

4. You can now restart auditd service or reboot your server avoiding that auditd overwrites your custom rules