Profile Applicability:
Level 2
Description:
The audit package (auditd) provides the user-space component to the Linux Audit subsystem, allowing the system to record security-relevant events. Ensuring the audit package is installed is essential for system monitoring and compliance.
Rationale:
Installing the audit package enables administrators to collect detailed logs of system activity, supporting security monitoring, forensic investigations, and compliance requirements.
Impact:
Pros:
Enables comprehensive auditing and logging of system events.
Supports compliance with security policies and regulations.
Cons:
Installation alone does not configure auditing policies; further setup is needed.
Default Value:
The audit package may not be installed by default on all systems.
Pre-requisites:
Root or sudo privileges to install packages.
Remediation:
Test Plan:
Using Linux command line:
Check if the audit package is installed:
RPM-based systems:
rpm -q audit
Debian-based systems:
dpkg -l | grep audit
Confirm package presence.
Implementation Plan:
Using Linux command line:
Install the audit package if missing:
RPM-based:
yum install audit -y
Debian-based:
apt install auditd -y
2. Verify installation:
auditctl --version
Backout Plan:
Using Linux command line:
Remove the audit package if necessary:
RPM-based:
yum remove audit -y
Debian-based:
apt remove auditd -y
Confirm removal.
References:
CIS Amazon Linux 2 Benchmark v3.0.0