4.1.3.20 Ensure the audit configuration is immutable
Audit
Run the following command and verify output matches:
# grep -Ph -- '^\h*-e\h+2\b' /etc/audit/rules.d/*.rules | tail -1
-e 2
Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line -e 2 at the end of the file:
Example:
# printf -- "-e 2
" >> /etc/audit/rules.d/99-finalize.rules
Load audit rules
Merge and load the rules into active configuration:
Check if reboot is required.
# if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi