{"description": "The Ubuntu 22.04 operating system audit tools must have the proper\nownership configured to protected against unauthorized access.\n\nVerify it by running the following command:\n<pre>$ stat -c \"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules\n\n/sbin/auditctl root\n\n/sbin/aureport root\n\n/sbin/ausearch root\n\n/sbin/autrace root\n\n/sbin/auditd root\n\n/sbin/augenrules root\n\n</pre>\n\nAudit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators", "rationale": "Protecting audit information also includes identifying and protecting the\ntools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\nOperating systems providing tools to interface with audit information\nwill leverage user permissions and roles identifying the user accessing the\ntools and the corresponding rights the user enjoys to make access decisions\nregarding the access to audit tools.", "severity": "medium", "references": {"srg": ["SRG-OS-000256-GPOS-00097", "SRG-OS-000257-GPOS-00098"], "cis": ["6.3.4.9"], "stigid": ["UBTU-22-232110"], "stigref": ["SV-260507r991557_rule"]}, "control_references": {"cis": ["6.3.4.9"], "stigid": ["UBTU-22-232110"]}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": "Verify it by running the following command:\n<pre>$ stat -c \"%n %U\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules\n\n/sbin/auditctl root\n\n/sbin/aureport root\n\n/sbin/ausearch root\n\n/sbin/autrace root\n\n/sbin/auditd root\n\n/sbin/augenrules root\n\n</pre>\nIf the command does not return all the above lines, the missing ones\nneed to be added.\n\nRun the following command to correct the permissions of the missing\nentries:\n<pre>$ sudo chown root [audit_tool] </pre>\n\nReplace \"[audit_tool]\" with each audit tool not owned by root.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Verify that audit tools are owned by root", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/file_permissions_auditd/file_ownership_audit_binaries/rule.yml", "template": {"name": "file_owner", "vars": {"filepath": ["/sbin/auditctl", "/sbin/aureport", "/sbin/ausearch", "/sbin/autrace", "/sbin/auditd", "/sbin/augenrules"], "uid_or_name": "0"}, "backends": {}}}