{"description": "To configure Audit daemon to use a unique identifier\nas computer node name in the audit events,\nset <tt>name_format</tt> to <tt><sub idref=\"var_auditd_name_format\" /></tt>\nin <tt>/etc/audit/auditd.conf</tt>.", "rationale": "If option <tt>name_format</tt> is left at its default value of\n<tt>none</tt>, audit events from different computers may be hard\nto distinguish.", "severity": "medium", "references": {"nist": ["CM-6", "AU-3"], "ospp": ["FAU_GEN.1.2"], "srg": ["SRG-OS-000039-GPOS-00017", "SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"], "ism": ["0582"], "pcidss4": ["10.2.2", "10.2"]}, "control_references": {"ism": ["0582"], "pcidss4": ["10.2.2", "10.2"]}, "components": [], "identifiers": {}, "ocil_clause": "name_format isn't set to <sub idref=\"var_auditd_name_format\" />", "ocil": "To verify that Audit Daemon is configured to record the computer node\nname in the audit events, run the following command:\n<pre>$ sudo grep name_format /etc/audit/auditd.conf</pre>\nThe output should return the following:\n<pre>name_format = <sub idref=\"var_auditd_name_format\" /></pre>", "oval_external_content": null, "fixtext": "Edit the file \"/etc/audit/auditd.conf\" and add or edit the following line:\nname_format = <sub idref=\"var_auditd_name_format\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must label all off-loaded audit logs before sending them to the central log server.", "warnings": [{"general": "Whenever the variable <pre>var_auditd_name_format</pre> uses a multiple value option, for example\n<pre>A|B|C</pre>, the first value will be used when remediating this rule."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must label all off-loaded audit logs before sending them to the central log server.", "vuldiscussion": "Enriched logging is needed to determine who, what, and when events occur on a system.  Without this, determining root cause of an event will be much more difficult.\n\nWhen audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.", "checktext": "Verify that Ubuntu 22.04 Audit Daemon is configured to label all off-loaded audit logs, with the following command:\n\n$ sudo grep name_format /etc/audit/auditd.conf\n\nname_format = hostname\n\nIf the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\", or the line is commented out, this is a finding.", "fixtext": "Edit the /etc/audit/auditd.conf file and add or update the \"name_format\" option:\n\nname_format = hostname\n\nThe audit daemon must be restarted for changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Set type of computer node name logging in audit logs", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml", "template": null}