4.1.3.20 Ensure the audit configuration is immutable

Information

Set system audit so that audit rules cannot be modified with auditctl . Setting the flag '-e 2' forces audit to be put in immutable mode. Audit changes can only be made on system reboot.

Note: This setting will require the system to be rebooted to update the active auditd configuration settings.

Rationale:

In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes.

Solution

Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line -e 2 at the end of the file:
Example:

# printf -- '-e 2' >> /etc/audit/rules.d/99-finalize.rules

Load audit rules


Merge and load the rules into active configuration:

# augenrules --load

Check if reboot is required.

# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules
'; fi

Additional Information:

NIST SP 800-53 Rev. 5:

AC-3

AU-3

AU-3(1)

MP-2

See Also

https://workbench.cisecurity.org/files/3807

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-7, 800-53|AU-12, 800-53|MP-2, CSCv7|6.2, CSCv7|6.3

Plugin: Unix

Control ID: e2181339babe119a834a7993f765b67bc23f864245fc9e5ccfb7959e2c445871