How to confirm AUDITD is immutable
Steve Grubb
sgrubb at redhat.com
Wed Oct 14 18:44:50 UTC 2020
On Wednesday, October 14, 2020 2:30:48 PM EDT warron.french wrote:
> Hello, I just wanted to confirm for my memory that if I wanted to confirm
> that the auditd process running on my system was configured correctly and
> intended to be
> *immutable (*setting *-e 2*) I would do so easily by executing:
>
> *auditctl -s*
>
> When I execute that command I get back in the results that have:
> *enabled 1*
> *loginuid_immutable 0 unlocked*
> *among a few other lines.*
>
> Shouldn't I actually see *enabled 2*?
That's what I get.
# auditctl -s
enabled 2
> I have in one of our .rules files under /etc/audit/rules.d/ the syntax
> "-e 2".
I'd copy 99-finalize.rules to rules.d and uncomment the only rule in the file.
It has to be last. Although I have no idea why what you have isn't working
unless its not getting picked up by augenrules.
-Steve
More information about the Linux-audit
mailing list