Resolve information before writing to audit logs
An XCCDF Rule
Description
To configure Audit daemon to resolve all uid, gid, syscall,
architecture, and socket address information before writing the
events to disk, set log_format
to ENRICHED
in /etc/audit/auditd.conf
.
Rationale
If option log_format
isn't set to ENRICHED
, the
audit records will be stored in a format exactly as the kernel sends them.
- ID
- xccdf_org.ssgproject.content_rule_auditd_log_format
- Severity
- Low
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-AU-3
- NIST-800-53-CM-6
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
if [ -e "/etc/audit/auditd.conf" ] ; then
LC_ALL=C sed -i "/^\s*log_format\s*=\s*/Id" "/etc/audit/auditd.conf"