{"description": "If the <tt>auditd</tt> daemon is configured to use the\n<tt>augenrules</tt> program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix <tt>.rules</tt> in the\ndirectory <tt>/etc/audit/rules.d</tt> in order to make the auditd configuration\nimmutable:\n<pre>-e 2</pre>\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following line to\n<tt>/etc/audit/audit.rules</tt> file in order to make the auditd configuration\nimmutable:\n<pre>-e 2</pre>\nWith this setting, a reboot will be required to change any audit rules.", "rationale": "Making the audit configuration immutable prevents accidental as\nwell as malicious modification of the audit rules, although it may be\nproblematic if legitimate changes are needed during system\noperation.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "18", "19", "3", "4", "5", "6", "7", "8"], "cjis": ["5.4.1.1"], "cobit5": ["APO01.06", "APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "BAI03.05", "BAI08.02", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS05.04", "DSS05.07", "DSS06.02", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.3.1", "3.4.3"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)(ii)(A)", "164.308(a)(5)(ii)(C)", "164.312(a)(2)(i)", "164.310(a)(2)(iv)", "164.312(d)", "164.310(d)(2)(iii)", "164.312(b)", "164.312(e)"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.7.3", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 2.1", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.8", "SR 2.9", "SR 5.2", "SR 6.1"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.1.3", "A.13.2.1", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nist": ["AC-6(9)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "ID.SC-4", "PR.AC-4", "PR.DS-5", "PR.PT-1", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.5.2"], "srg": ["SRG-OS-000057-GPOS-00027", "SRG-OS-000058-GPOS-00028", "SRG-OS-000059-GPOS-00029", "SRG-APP-000119-CTR-000245", "SRG-APP-000120-CTR-000250"], "anssi": ["R73"], "cis": ["6.3.3.20"], "pcidss4": ["10.3.2", "10.3"]}, "control_references": {"anssi": ["R73"], "cis": ["6.3.3.20"], "pcidss4": ["10.3.2", "10.3"]}, "components": [], "identifiers": {}, "ocil_clause": "the audit system is not set to be immutable by adding the \"-e 2\" option to the end of \"/etc/audit/audit.rules\"", "ocil": "Verify the audit system prevents unauthorized changes with the following command:\n<pre>\n$ sudo grep \"^\\s*[^#]\" /etc/audit/audit.rules | tail -1\n-e 2\n</pre>", "oval_external_content": null, "fixtext": "Configure the audit system to set the audit rules to be immutable by adding the following line to end of \"/etc/audit/rules.d/audit.rules\"\n\n-e 2\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 audit system must protect auditing rules from unauthorized change.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 audit system must protect auditing rules from unauthorized change.", "vuldiscussion": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit Ubuntu 22.04 system activity.\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back.  A system reboot would be noticeable, and a system administrator could then investigate the unauthorized changes.", "checktext": "Verify the audit system prevents unauthorized changes with the following command:\n\n$ sudo grep \"^\\s*[^#]\" /etc/audit/audit.rules | tail -1\n\n-e 2\n\nIf the audit system is not set to be immutable by adding the \"-e 2\" option to the end of \"/etc/audit/audit.rules\", this is a finding.", "fixtext": "Configure the audit system to set the audit rules to be immutable by adding the following line to end of \"/etc/audit/rules.d/audit.rules\"\n\n-e 2\n\nThe audit daemon must be restarted for the changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Make the auditd Configuration Immutable", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml", "template": null}