{"description": "\nTo properly set the permissions of <code>/etc/audit/rules.d/*.rules</code>, run the command:\n<pre>$ sudo chmod 0600 /etc/audit/rules.d/*.rules</pre>", "rationale": "Without the capability to restrict the roles and individuals that can select which events\nare audited, unauthorized personnel may be able to prevent the auditing of critical\nevents. Misconfigured audits may degrade the system's performance by overwhelming\nthe audit log. Misconfigured audits may also make it more difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify\nthose responsible for one.", "severity": "medium", "references": {"nist": ["AU-12(b)"], "srg": ["SRG-OS-000063-GPOS-00032"], "cis": ["6.3.4.5"], "stigid": ["UBTU-22-653065"], "stigref": ["SV-260601r958444_rule"]}, "control_references": {"cis": ["6.3.4.5"], "stigid": ["UBTU-22-653065"]}, "components": [], "identifiers": {}, "ocil_clause": "/etc/audit/rules.d/*.rules does not have unix mode -rw-------", "ocil": "To check the permissions of <code>/etc/audit/rules.d/*.rules</code>,\nrun the command:\n<pre>$ ls -l /etc/audit/rules.d/*.rules</pre>\nIf properly configured, the output should indicate the following permissions:\n<code>-rw-------</code>", "oval_external_content": null, "fixtext": "\nTo properly set the permissions of <code>/etc/audit/rules.d/*.rules</code>, run the command:\n<pre>$ sudo chmod 0600 /etc/audit/rules.d/*.rules</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": " The Ubuntu 22.04 /etc/audit/rules.d/*.rules file must have mode 0600 or less permissive to prevent unauthorized access.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.", "fixtext": "Configure the files in directory \"/etc/audit/rules.d/\" and the \"/etc/audit/auditd.conf\" file to have a mode of \"0600\" with the following commands:\n\n$ sudo chmod 0600 /etc/audit/rules.d/audit.rules\n$ sudo chmod 0600 /etc/audit/rules.d/[customrulesfile].rules\n$ sudo chmod 0600 /etc/audit/auditd.conf", "checktext": "Verify that the files in directory \"/etc/audit/rules.d/\" and \"/etc/audit/auditd.conf\" file have a mode of \"0600\" or less permissive with the following command:\n\n# stat -c \"%a %n\"  /etc/audit/rules.d/*.rules\n\n640 /etc/audit/rules.d/audit.rules\n\nIf the files in the \"/etc/audit/rules.d/\" directory or the \"/etc/audit/auditd.conf\" file have a mode more permissive than \"600\", this is a finding.", "vuldiscussion": "Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Verify Permissions on /etc/audit/rules.d/*.rules", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/file_permissions_auditd/file_permissions_etc_audit_rulesd/rule.yml", "template": {"name": "file_permissions", "vars": {"filepath": "/etc/audit/rules.d/", "file_regex": "^.*rules$", "allow_stricter_permissions": "true", "filemode": "0600"}, "backends": {}}}