How to confirm AUDITD is immutable

How to confirm AUDITD is immutable

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 549 bytes --]

Hello, I just wanted to confirm for my memory that if I wanted to confirm
that the auditd process running on my system was configured correctly and
intended to be
*immutable (*setting *-e 2*) I would do so easily by executing:

*auditctl  -s*

When I execute that command I get back in the results that have:
*enabled 1*
*loginuid_immutable 0 unlocked*
*among a few other lines.*

Shouldn't I actually see *enabled 2*?
I have in one of our .rules files under /etc/audit/rules.d/ the syntax
"-e 2".


Thanks,
--------------------------
Warron French

[-- Attachment #1.2: Type: text/html, Size: 1061 bytes --]

[-- Attachment #2: Type: text/plain, Size: 102 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: How to confirm AUDITD is immutable

[Steve Grubb]

On Wednesday, October 14, 2020 2:30:48 PM EDT warron.french wrote:
> Hello, I just wanted to confirm for my memory that if I wanted to confirm
> that the auditd process running on my system was configured correctly and
> intended to be
> *immutable (*setting *-e 2*) I would do so easily by executing:
> 
> *auditctl -s*
> 
> When I execute that command I get back in the results that have:
> *enabled 1*
> *loginuid_immutable 0 unlocked*
> *among a few other lines.*
> 
> Shouldn't I actually see *enabled 2*?

That's what I get.

# auditctl -s
enabled 2


> I have in one of our .rules files under /etc/audit/rules.d/ the syntax
> "-e 2".

I'd copy 99-finalize.rules to rules.d and uncomment the only rule in the file. 
It has to be last. Although I have no idea why what you have isn't working 
unless its not getting picked up by augenrules.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit