iCompaas Support

Profile Applicability:
 • Level 2

Description:
 Modifications to the system’s network environment—such as changes to network interfaces, routing tables, firewall rules, or network services—can impact system security and connectivity. Collecting audit logs for these events provides visibility into such changes for security monitoring and incident response.

Rationale:
 Capturing audit events related to network environment changes helps detect unauthorized modifications, supports forensic analysis, and ensures compliance with security policies.

Impact:
 Pros:

• Enables detection of unauthorized network configuration changes.
  

• Supports incident investigations and compliance audits.
  

Cons:

• May generate high audit log volume; requires proper log management.
  

Default Value:
 Audit rules for network environment modifications are often not enabled by default.

Pre-requisites:

• Root or sudo privileges to configure audit rules.
  

Remediation:

Test Plan:

Using Linux command line:

Check existing audit rules for network modifications:

auditctl -l | grep -E 'net|interface|route|iptables'

Verify audit rules exist for relevant syscalls and configuration files.

Implementation Plan:

Using Linux command line:

Add audit rules to monitor network environment changes. Examples include:

# Monitor changes to network interfaces configuration files  
auditctl -w /etc/sysconfig/network-scripts/ -p wa -k network-change  

# Monitor iptables rules changes  
auditctl -w /etc/sysconfig/iptables -p wa -k firewall-change  

# Monitor syscalls that modify network parameters  
auditctl -a always,exit -F arch=b64 -S sethostname -S setdomainname -k network-change  
auditctl -a always,exit -F arch=b64 -S setrlimit -k network-change  

1. Persist audit rules by adding them to /etc/audit/rules.d/audit.rules.
   

Backout Plan:

Using Linux command line:

Remove or disable network audit rules as needed

auditctl -W /etc/sysconfig/network-scripts/ -p wa -k network-change  
auditctl -W /etc/sysconfig/iptables -p wa -k firewall-change 
auditctl -D -k network-change

1. Reload audit daemon configuration.
   

References:

• CIS Amazon Linux 2 Benchmark v3.0.0
  

• Linux Audit Framework
  

• NIST SP 800-53 Revision 5 - AU-6