79710356

Date: 2025-07-22 11:17:59
Score: 0.5
Natty:
Report link

Q: "I am trying to append a "string" value to a .rules file in /etc/audit/rules.d, if it does not exist. ... System is RHEL 9.5, but it is supposed to work on all versions down to 7.0. Any suggestions as to how I can achieve this?"

A: I understand that you like to make sure that there is a certain rule within the audit.rules file finally. Therefore the question comes up What is the correct way to generate /etc/audit/audit.rules?.

Since Why are folders for configuration files always named *.d, What does the .d stand for in directory names? and Linux configuration: Understanding *.d directories in /etc, there would be no need for "editing" a config file, or appending a "string" value to an auditd rule file under the .d folder if a certain conditions is met, or even programming at all.

Just make sure that there is a file with the necessary rule if not available, like in example

#! /bin/bash

RULE='-a always,exit -F arch=b64 -S execve -F key=execve'

if [ ! -f /etc/audit/rules.d/rapid7.rules ]; then
    echo "${RULE}" > /etc/audit/rules.d/rapid7.rules
fi

and perform an augenrules --load.

Reasons:
  • Blacklisted phrase (1): I am trying to
  • RegEx Blacklisted phrase (2): Any suggestions
  • Long answer (-0.5):
  • Has code block (-0.5):
  • Contains question mark (0.5):
  • High reputation (-2):
Posted by: U880D