iCompaas Support

Profile Applicability:

Level 1

Description:

The auditd service is responsible for writing audit records to disk. If this service is not enabled, audit events will not be logged, making it difficult to detect unauthorized or suspicious activity. Enabling the auditd service ensures that audit logs are persistently captured from system startup.

Rationale:

Running the audit daemon ensures that access and authorization events are recorded, which is crucial for incident detection, investigation, and meeting regulatory compliance requirements.

Impact:

Pros:
Ensures persistent audit logging across reboots
Supports forensic investigation and incident response
Fulfills compliance requirements (e.g., ISO 27001, SOC 2, HIPAA)

Cons:
Minor performance impact due to logging operations

Default Value:

The auditd package may be installed by default, but the service is not always enabled unless configured explicitly.

Pre-requisites:

• auditd must be installed

• Root or sudo access is required

Test Plan:

Using Linux Command Line:

1. Check if auditd is enabled:

systemctl is-enabled auditd

2. Check if the service is running:

systemctl status auditd

Implementation Plan:

Using Linux Command Line:

1. Enable the auditd service:

systemctl enable auditd

2. Start the auditd service:

systemctl start auditd

Backout Plan:

Using Linux Command Line:

1. Stop the auditd service:

systemctl stop auditd

2. Disable the auditd service:

systemctl disable auditd

References:

CIS Amazon Linux 2 Benchmark v3.0.0
Auditd Service Configuration Guide
NIST SP 800-53 Revision 5 - AU-3