Audit.rules is empty by default on Centos 7

[shagun]

Hi,

We noticed that the audit.rules is empty on centos 7 whereas it used to have some default rules on centos 6. We checked the /sbin/augenrules, which copies audit rules from /etc/audit/rules.d/audit.rules to /etc/audit/audit.rules, which is almost same as of centos 6.

Please help us in understanding from where the rules are being picked up when audit.rules is deployed as empty in Centos 7.

Regards,
Shagun

[TrevorH]

My audit.rules file has the same rules in it on el7 that it does on el6 but has only 1 comment line vs 12 comments on el6.

[shagun]

But my /etc/audit/audit.rules file is empty on el7.

[TrevorH]

I suspect that's due to something you did as I checked all my el7 systems and all /etc/audit/audit.rules files have 5 lines in them.

[shagun]

On CentOS 7.3 machine, after a fresh installation, i am getting an empty audit.rules file but on centOS 7.4, I am getting that rules are written in that file.
So, I updated the audit package on 7.3 machine and restart the auditd service but still, I am getting the empty file.
Can you tell me how we can add the rules in that file or anything has been changed in audit package?
Please help me in understanding from where the rules are being picked up.

Regards,
Shagun

[TrevorH]

I'm pretty sure we've been through this already: CentOS 7.3 is not current, it is not supported. Update to the current version 7.4.