mediumauditunverified
Audit modification of /etc/issue and /etc/issue.net (RHEL 10)
audit-issue-files-rhel10 · RHEL ≥ 10 · 1 impl
Description
On RHEL 10 these file-modification audit controls use the syscall form (-S all -F path=... -F perm=wa). Record write/attribute changes to /etc/issue and /etc/issue.net.
Rationale
Unauthorized modification of these files can alter system identity or trust; auditing provides attribution.
Check → Remediate
Checkcomposed · 2 sub-checks (all must pass)
- 1. audit_rule_exists:
- rule=-a always,exit -F arch=b64 -S all -F path=/etc/issue -F perm=wa -F key=system-locale
- 2. audit_rule_exists:
- rule=-a always,exit -F arch=b64 -S all -F path=/etc/issue.net -F perm=wa -F key=system-locale
Remediatemanual
- note:
- Add -S all -F path=/etc/issue and path=/etc/issue.net (-F perm=wa -F key=system-locale) audit rules to /etc/audit/rules.d/ and augenrules --load.
Framework references
CIS
rhel10 6.3.3.6
NIST 800-53
AU-12
#audit#system-locale#cis