Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== 4.1.18 Ensure the audit configuration is immutable (Scored) ====== =====Profile Applicability===== <code> Level 2 - Server Level 2 - Workstation </code> =====Description===== Set system audit so that audit rules cannot be modified with ''auditctl''. Setting the flag ''-e 2'' forces audit to be put in immutable mode. Audit changes can only be made on system reboot. =====Rationale===== In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes. =====Audit===== Run the following command and verify output matches: <Code:bash> # grep "^\s*[^#]" /etc/audit/audit.rules | tail -1 -e 2 </Code> =====Remediation===== Add the following line to the end of the/etc/audit/audit.rules file. <Code:bash> -e 2 </Code> centos7/4/1/18.txt Last modified: 2017/05/04 18:15by Piotr Kłoczewski