eheydrick
commented
6 years ago There's a couple issues with Debian 9 / Ubuntu 18.04. The big issue is that auditd now compiles the rules in /etc/audit/rules.d to /etc/audit/audit.rules and any rules placed in /etc/audit/audit.rules directly will be overwritten. Previous versions had this behavior disabled in /etc/default/auditd - USE_AUGENRULES="no".
Another issue is that the example rulesets are now located in /usr/share/doc/auditd/examples/rules and have different names. e.g. the stig rules are now 30-stig.rules.gz.
Working on a fix.
Hi,
/etc/audit/audit.rules file is overridden on each run on debian 9.
Can you please check and fix?
Thank you!