{"description": "\nTo properly set the permissions of <code>/etc/audit/audit.rules</code>, run the command:\n<pre>$ sudo chmod 0640 /etc/audit/audit.rules</pre>", "rationale": "Without the capability to restrict the roles and individuals that can select which events\nare audited, unauthorized personnel may be able to prevent the auditing of critical\nevents. Misconfigured audits may degrade the system's performance by overwhelming\nthe audit log. Misconfigured audits may also make it more difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify\nthose responsible for one.", "severity": "medium", "references": {"cis": ["6.3.4.5"], "stigid": ["UBTU-22-653065"], "stigref": ["SV-260601r958444_rule"]}, "control_references": {"cis": ["6.3.4.5"], "stigid": ["UBTU-22-653065"]}, "components": [], "identifiers": {}, "ocil_clause": "/etc/audit/audit.rules does not have unix mode -rw-r-----", "ocil": "To check the permissions of <code>/etc/audit/audit.rules</code>,\nrun the command:\n<pre>$ ls -l /etc/audit/audit.rules</pre>\nIf properly configured, the output should indicate the following permissions:\n<code>-rw-r-----</code>", "oval_external_content": null, "fixtext": "\nTo properly set the permissions of <code>/etc/audit/audit.rules</code>, run the command:\n<pre>$ sudo chmod 0640 /etc/audit/audit.rules</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": " The Ubuntu 22.04 /etc/audit/audit.rules file must have mode 0640 or less permissive to prevent unauthorized access.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Verify Permissions on /etc/audit/audit.rules", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/file_permissions_auditd/file_permissions_etc_audit_rules/rule.yml", "template": {"name": "file_permissions", "vars": {"filepath": "/etc/audit/audit.rules", "allow_stricter_permissions": "true", "filemode": "0640"}, "backends": {}}}