CCE-92674-1Platform: cpe:/o:ubuntu:ubuntu_linux:18.04 | Date: (C)2019-11-07 (M)2023-07-04 |
Set system audit so that audit rules cannot be modified with auditctl. Setting the flag -e 2 forces audit to be put in immutable mode. Audit changes can only be made on system reboot.
Rationale:
In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes.
Parameter:
[yes/no]
Technical Mechanism:
Add the following lines to the /etc/audit/audit.rules file.
-e 2
Note: This must be the last line in the /etc/audit/audit.rules file
CCSS Severity: | CCSS Metrics: |
CCSS Score : 7.1 | Attack Vector: LOCAL |
Exploit Score: 1.8 | Attack Complexity: LOW |
Impact Score: 5.2 | Privileges Required: LOW |
Severity: HIGH | User Interaction: NONE |
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: NONE |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:51273 |