Differences

This shows you the differences between two versions of the page.

Link to this comparison view

centos7:4:1:18 [2017/05/04 16:15] (current)
Piotr Kłoczewski created
Line 1: Line 1:
 +====== 4.1.18 Ensure the audit configuration is immutable (Scored) ====== 
 +=====Profile Applicability===== ​  
 +<​code>​ 
 +Level 2 - Server  
 +Level 2 - Workstation 
 +</​code>​ 
 +=====Description===== 
 +Set system audit so that audit rules cannot be modified with ''​auditctl''​. Setting the flag ''​-e 2''​ forces audit to be put in immutable mode. Audit changes can only be made on system reboot. 
 +=====Rationale===== 
 +In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes. 
 +=====Audit=====  
 +Run the following command and verify output matches: 
 +<​Code:​bash>​ 
 +# grep "​^\s*[^#​]"​ /​etc/​audit/​audit.rules | tail -1  
 +-e 2 
 +</​Code>​ 
 +=====Remediation=====  
 +Add the following line to the end of the/​etc/​audit/​audit.rules file. 
 +<​Code:​bash>​ 
 +-e 2 
 +</​Code>​