highauditverified ✓rollback-safe
Ensure audit rules are immutable
audit-rules-immutable · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
The audit configuration should be made immutable by adding '-e 2' as the last rule. This prevents any modification of audit rules until the system is rebooted.
Rationale
Making audit rules immutable prevents attackers from disabling or modifying audit rules to hide their activities. Any attempt to change rules after boot requires a reboot, making such tampering more detectable.
Check → Remediate
Checkcommand
grep -E '^\s*-e\s+2\s*$' /etc/audit/rules.d/*.rules 2>/dev/null && auditctl -s 2>/dev/null | grep -qE '^enabled\s+2'
- expected_exit:
- 0
Remediateaudit_rule_set
- rule:
- -e 2
- persist_file:
- /etc/audit/rules.d/99-finalize.rules
Framework references
CIS
rhel9 6.3.3.20rhel10 6.3.3.36rhel8 6.3.3.21
STIG
V-281365 / RHEL-10-900100V-230402V-270832 / UBTU-24-909000
NIST 800-53
AU-9AC-6AU-2AU-12
Live verification
rhel10:checkrhel8:checkrhel9:checkubuntu24:check
#audit#immutable#security#hardening