Make the auditd Configuration Immutable

Docs > Datadog Security > OOTB Rules > Make the auditd Configuration Immutable

Classification:

compliance

Framework:

Control:

Description

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make the auditd configuration immutable:

-e 2

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable:

-e 2

With this setting, a reboot will be required to change any audit rules.

Rationale

Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation.

Remediation

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
 package\_facts:
 manager: auto
 tags:
 - CJIS-5.4.1.1
 - NIST-800-171-3.3.1
 - NIST-800-171-3.4.3
 - NIST-800-53-AC-6(9)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-10.5.2
 - audit\_rules\_immutable
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - reboot\_required
 - restrict\_strategy

- name: Collect all files from /etc/audit/rules.d with .rules extension
 find:
 paths: /etc/audit/rules.d/
 patterns: '\*.rules'
 register: find\_rules\_d
 when:
 - '"audit" in ansible\_facts.packages'
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CJIS-5.4.1.1
 - NIST-800-171-3.3.1
 - NIST-800-171-3.4.3
 - NIST-800-53-AC-6(9)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-10.5.2
 - audit\_rules\_immutable
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - reboot\_required
 - restrict\_strategy

- name: Remove the -e option from all Audit config files
 lineinfile:
 path: '{{ item }}'
 regexp: ^\s\*(?:-e)\s+.\*$
 state: absent
 loop: '{{ find\_rules\_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules'']
 }}'
 when:
 - '"audit" in ansible\_facts.packages'
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CJIS-5.4.1.1
 - NIST-800-171-3.3.1
 - NIST-800-171-3.4.3
 - NIST-800-53-AC-6(9)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-10.5.2
 - audit\_rules\_immutable
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - reboot\_required
 - restrict\_strategy

- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
 lineinfile:
 path: '{{ item }}'
 create: true
 line: -e 2
 mode: o-rwx
 loop:
 - /etc/audit/audit.rules
 - /etc/audit/rules.d/immutable.rules
 when:
 - '"audit" in ansible\_facts.packages'
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CJIS-5.4.1.1
 - NIST-800-171-3.3.1
 - NIST-800-171-3.4.3
 - NIST-800-53-AC-6(9)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-10.5.2
 - audit\_rules\_immutable
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - reboot\_required
 - restrict\_strategy