mediumauditverified ✓rollback-safe
Configure auditd to audit local events
auditd-local-events · RHEL ≥ 8 · 1 impl
Description
The auditd local_events parameter must be set to yes to collect audit events generated on the local system.
Rationale
Without auditing local events, security-relevant activity on the system would go unrecorded, preventing detection of unauthorized access or system compromise.
Check → Remediate
Checkconfig_value
- path:
- /etc/audit/auditd.conf
- key:
- local_events
- expected:
- yes
Remediateconfig_set
- path:
- /etc/audit/auditd.conf
- key:
- local_events
- value:
- yes
- separator:
- =
- restart:
- auditd
Framework references
STIG
V-258164V-230393V-281098 / RHEL-10-500010
NIST 800-53
AU-2AU-12
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#auditd#configuration