← Rules Catalog
highauditverified rollback-safe

Ensure audit rules are immutable

audit-rules-immutable · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl

Description

The audit configuration should be made immutable by adding '-e 2' as the last rule. This prevents any modification of audit rules until the system is rebooted.

Rationale

Making audit rules immutable prevents attackers from disabling or modifying audit rules to hide their activities. Any attempt to change rules after boot requires a reboot, making such tampering more detectable.

Check → Remediate

Checkcommand
grep -E '^\s*-e\s+2\s*$' /etc/audit/rules.d/*.rules 2>/dev/null && auditctl -s 2>/dev/null | grep -qE '^enabled\s+2'
expected_exit:
0
Remediateaudit_rule_set
rule:
-e 2
persist_file:
/etc/audit/rules.d/99-finalize.rules

Framework references

CIS

rhel9 6.3.3.20rhel10 6.3.3.36rhel8 6.3.3.21

STIG

V-281365 / RHEL-10-900100V-230402V-270832 / UBTU-24-909000

NIST 800-53

AU-9AC-6AU-2AU-12

Live verification

rhel10:checkrhel8:checkrhel9:checkubuntu24:check
#audit#immutable#security#hardening