highauditverified ✓
Ensure cryptographic mechanisms are used to protect the integrity of audit tools
auditd-tools-integrity · RHEL ≥ 8 · 1 impl
Description
AIDE or another file integrity monitoring tool should verify the integrity of audit binaries to detect unauthorized modifications.
Rationale
Audit tools are critical for security. If an attacker modifies them, they could hide malicious activity. Integrity checking ensures tampering is detected.
Check → Remediate
Checkcommand
# Check if AIDE is configured to monitor audit binaries
if [ -f /etc/aide.conf ]; then
missing=""
for bin in auditctl aureport ausearch autrace auditd rsyslogd augenrules; do
if ! grep -qE "/sbin/$bin|/usr/sbin/$bin" /etc/aide.conf 2>/dev/null; then
missing="$missing $bin"
fi
done
if [ -z "$missing" ]; then
echo "OK: AIDE monitors all audit tools"
exit 0
fi
fi
echo "FAIL: Audit tool integrity monitoring not configured${missing:+ (missing:$missing)}"
exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Configure AIDE to monitor audit binaries. Add to /etc/aide.conf: /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
Framework references
CIS
rhel8 6.1.3rhel9 6.1.3rhel10 6.1.3
STIG
V-280978 / RHEL-10-200631V-258137 / RHEL-09-651025V-230475
NIST 800-53
AU-9SI-7
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#integrity#aide#security