{"description": "Set <tt>-c</tt> flag so that auditctl will continue loading rules in spite of an error. The exit\ncode will not be success if any rule fails to load.", "rationale": "The default behaviour of <tt>auditctl</tt> is to stop loading any further rules if it encounters an\nerror in the rules (for example a file watcher referencing a non-existent file). This can\nlead to auditd running without valid rules being present. It is best to have all valid rules\nloaded and active rather than a subset", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the option '-c' is not set in the '/etc/audit/audit.rules' file", "ocil": "Verify that the '-c' option is set in the '/etc/audit/audit.rules' file with the following command:\n<pre>\n$ sudo grep -Ph -- '^\\h*-c\\b' /etc/audit/rules.d/*.rules | tail -1\n</pre>\nThe output should be:\n<pre>\n-c\n</pre>", "oval_external_content": null, "fixtext": "Set the '-c' option in the '/etc/audit/audit.rules' file with the following command:\n<pre>\n$ sudo printf '%s\\n' \"\" \"-c\" >> /etc/audit/rules.d/01-initialize.rules\n</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Ensure the Audit Configuration is Loaded Regardless of Errors", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_rules_continue_loading/rule.yml", "template": null}