CME-1002

Audit Subsystem (auditd)

Detect OS/Kernel Medium Confidence

Description

Linux kernel audit framework that logs syscalls, file access, authentication events, and security-relevant operations. Provides forensic trail and can trigger alerts.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H Compensating control: attacker actions are logged and may trigger alerting

CWE Relationships

CWE-778

Verification

Verify auditd is running with rules loaded

$ auditctl -s | grep enabled
# Expected: enabled 1
Platform: linux
$ auditctl -l | wc -l
# Expected: Non-zero rule count
Platform: linux

References

  • Red Hat Security Hardening Guide — System auditing
  • CIS RHEL 9 Benchmark — 4. Logging and Auditing
← CME-1001: EDR Agent (Endpoint Detection & Response) CME-1003: Falco / eBPF Runtime Security →