Information
Set system audit so that audit rules cannot be modified with auditctl . Setting the flag '-e 2' forces audit to be put in immutable mode. Audit changes can only be made on system reboot.
Note: This setting will require the system to be rebooted to update the active auditd configuration settings.
Rationale:
In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes.
Solution
Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line -e 2 at the end of the file:
Example:
# printf -- '-e 2' >> /etc/audit/rules.d/99-finalize.rules
Load audit rules
Merge and load the rules into active configuration:
# augenrules --load
Check if reboot is required.
# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules
'; fi
Item Details
Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION
References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-7, 800-53|AU-12, 800-53|MP-2, CSCv7|6.2, CSCv7|6.3
Control ID: 6464a468030dd789c5217fecfe8a30a6c5c99d753b7980a17f06facbe3ce6f34