4.1.3.21 Ensure the running and on disk configuration is the same

Audit#

Merged rule sets

Ensure that all rules in /etc/audit/rules.d have been merged into /etc/audit/audit.rules:

# augenrules --check
/usr/sbin/augenrules: No change

Should there be any drift, run augenrules --load to merge and load all rules.

If the rules are not aligned across all three () areas, run the following command to merge and load all rules:

# augenrules --load

Check if reboot is required.

if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then echo "Reboot required to load rules"; fi