My systems are required to have auditd operating and immutable. Can auditbeat be configured to work with immutable auditd? If so, how?
If you need to keep the auditd daemon running then I would recommend using Auditbeat with socket_type: multicast (docs). In this mode it will receive a copy of the audit events from the kernel, and the auditd process can be left as is.
That will work while auditd is set to immutable?
It should. It doesn't modify any kernel rules or set itself as the audit PID.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.