Enable auditd Service
An XCCDF Rule
Description
The auditd
service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The auditd
service can be enabled with the following command:
$ sudo systemctl enable auditd.service
Rationale
Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the auditd
service is active ensures audit records
generated by the kernel are appropriately recorded.
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions.
- ID
- xccdf_org.ssgproject.content_rule_service_auditd_enabled
- Severity
- Medium
- References
-
SRG-OS-000037-GPOS-00015
SRG-OS-000038-GPOS-00016
SRG-OS-000039-GPOS-00017
SRG-OS-000040-GPOS-00018
SRG-OS-000041-GPOS-00019
SRG-OS-000042-GPOS-00021
SRG-OS-000051-GPOS-00024
SRG-OS-000054-GPOS-00025
SRG-OS-000062-GPOS-00031
SRG-OS-000122-GPOS-00063
SRG-OS-000254-GPOS-00095
SRG-OS-000255-GPOS-00096
SRG-OS-000337-GPOS-00129
SRG-OS-000348-GPOS-00136
SRG-OS-000349-GPOS-00137
SRG-OS-000350-GPOS-00138
SRG-OS-000351-GPOS-00139
SRG-OS-000352-GPOS-00140
SRG-OS-000353-GPOS-00141
SRG-OS-000354-GPOS-00142
SRG-OS-000358-GPOS-00145
SRG-OS-000365-GPOS-00152
SRG-OS-000392-GPOS-00172
SRG-OS-000475-GPOS-00220
- Updated
Remediation - OS Build Blueprint
[customizations.services]
enabled = ["auditd"]
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.3.1
Remediation - Puppet
include enable_auditd
class enable_auditd {
service {'auditd':
enable => true,
ensure => 'running',
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'auditd.service'
"$SYSTEMCTL_EXEC" start 'auditd.service'