mediumauditunverified
Audit modification of /etc/hosts and /etc/hostname (RHEL 10)
audit-hosts-files-rhel10 · RHEL ≥ 10 · 1 impl
Description
On RHEL 10 these file-modification audit controls use the syscall form (-S all -F path=... -F perm=wa). Record write/attribute changes to /etc/hosts and /etc/hostname.
Rationale
Unauthorized modification of these files can alter system identity or trust; auditing provides attribution.
Check → Remediate
Checkcomposed · 2 sub-checks (all must pass)
- 1. audit_rule_exists:
- rule=-a always,exit -F arch=b64 -S all -F path=/etc/hosts -F perm=wa -F key=system-locale
- 2. audit_rule_exists:
- rule=-a always,exit -F arch=b64 -S all -F path=/etc/hostname -F perm=wa -F key=system-locale
Remediatemanual
- note:
- Add -S all -F path=/etc/hosts and path=/etc/hostname (-F perm=wa -F key=system-locale) audit rules to /etc/audit/rules.d/ and augenrules --load.
Framework references
CIS
rhel10 6.3.3.7
NIST 800-53
AU-12
#audit#system-locale#cis