Make the auditd Configuration Immutable
An XCCDF Rule
Description
If the auditd
daemon is configured to use the
augenrules
program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules
in the
directory /etc/audit/rules.d
in order to make the auditd configuration
immutable:
-e 2If the
auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules
file in order to make the auditd configuration
immutable:
-e 2With this setting, a reboot will be required to change any audit rules.
Rationale
Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation.
- ID
- xccdf_org.ssgproject.content_rule_audit_rules_immutable
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.3.1
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
# Traverse all of:
#
# /etc/audit/audit.rules, (for auditctl case)