← Rules Catalog
mediumauditverified rollback-safe

Protect audit rules from unauthorized change

auditd-immutable-rules · RHEL ≥ 9 · 1 impl

Description

The audit system must be configured to make audit rules immutable by setting -e 2 as the final rule.

Rationale

Making audit rules immutable prevents runtime changes to the audit configuration. A reboot is required to modify rules, ensuring that an attacker who gains access cannot silently disable auditing.

Check → Remediate

Checkcommand
tail -1 /etc/audit/rules.d/audit.rules
expected_exit:
0
expected_stdout:
-e 2
Remediateconfig_append
path:
/etc/audit/rules.d/audit.rules
line:
-e 2

Framework references

STIG

V-258229

NIST 800-53

AU-9

Live verification

rhel9:check
#audit#auditd#integrity#configuration