← Rules Catalog
highauditverified

Ensure cryptographic mechanisms are used to protect the integrity of audit tools

auditd-tools-integrity · RHEL ≥ 8 · 1 impl

Description

AIDE or another file integrity monitoring tool should verify the integrity of audit binaries to detect unauthorized modifications.

Rationale

Audit tools are critical for security. If an attacker modifies them, they could hide malicious activity. Integrity checking ensures tampering is detected.

Check → Remediate

Checkcommand
# Check if AIDE is configured to monitor audit binaries
if [ -f /etc/aide.conf ]; then
  missing=""
  for bin in auditctl aureport ausearch autrace auditd rsyslogd augenrules; do
    if ! grep -qE "/sbin/$bin|/usr/sbin/$bin" /etc/aide.conf 2>/dev/null; then
      missing="$missing $bin"
    fi
  done
  if [ -z "$missing" ]; then
    echo "OK: AIDE monitors all audit tools"
    exit 0
  fi
fi
echo "FAIL: Audit tool integrity monitoring not configured${missing:+ (missing:$missing)}"
exit 1
expected_exit:
0
Remediatemanual
note:
Configure AIDE to monitor audit binaries. Add to /etc/aide.conf: /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512

Framework references

CIS

rhel8 6.1.3rhel9 6.1.3rhel10 6.1.3

STIG

V-280978 / RHEL-10-200631V-258137 / RHEL-09-651025V-230475

NIST 800-53

AU-9SI-7

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#integrity#aide#security