mediumauditverified ✓rollback-safe
Protect audit rules from unauthorized change
auditd-immutable-rules · RHEL ≥ 9 · 1 impl
Description
The audit system must be configured to make audit rules immutable by setting -e 2 as the final rule.
Rationale
Making audit rules immutable prevents runtime changes to the audit configuration. A reboot is required to modify rules, ensuring that an attacker who gains access cannot silently disable auditing.
Check → Remediate
Checkcommand
tail -1 /etc/audit/rules.d/audit.rules
- expected_exit:
- 0
- expected_stdout:
- -e 2
Remediateconfig_append
- path:
- /etc/audit/rules.d/audit.rules
- line:
- -e 2
Framework references
STIG
V-258229
NIST 800-53
AU-9
Live verification
rhel9:check
#audit#auditd#integrity#configuration