Ensure Audit Configuration is Set to Immutable : iCompaas Support

Ensure Audit Configuration is Set to Immutable Print

Created by: iCompaas Tech Support

Modified on: Thu, 22 May, 2025 at 2:35 AM

Profile Applicability:
• Level 2

Description:
Setting the audit configuration as immutable prevents unauthorized changes to the audit rules, ensuring continuous and reliable auditing of system activities.

Rationale:
Making the audit configuration immutable protects audit policies from accidental or malicious modifications, maintaining the integrity of security monitoring.

Impact:
Pros:

Prevents tampering with audit configuration.
Ensures consistent audit policy enforcement.

Cons:

Requires deliberate action to update audit rules, potentially slowing emergency changes.

Default Value:
Audit configuration may not be immutable by default.

Pre-requisites:

Root or sudo privileges to set immutable attribute.

Remediation:

Test Plan:

Using Linux command line:

Check if audit rules file is immutable:

lsattr /etc/audit/audit.rules

Confirm the i attribute (immutable) is set.

Implementation Plan:

Using Linux command line:

Set the immutable attribute on the audit rules file:

chattr +i /etc/audit/audit.rules

Verify attribute is set:

lsattr /etc/audit/audit.rules

Backout Plan:

Using Linux command line:

Remove the immutable attribute if changes are needed:

chattr -i /etc/audit/audit.rules

Modify the audit rules as necessary.
Reapply immutable attribute after updates.

References:

CIS Amazon Linux 2 Benchmark v3.0.0
Linux chattr Manual
NIST SP 800-53 Revision 5 - AU-9

iCompaas is the author of this solution article.

Did you find it helpful? Yes No

Ensure Audit Configuration is Set to Immutable Print

Test Plan:

Implementation Plan:

Backout Plan:

Related Articles