{"description": "\n\n\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add the\nfollowing lines to a file with suffix <tt>.rules</tt> in the\ndirectory <tt>/etc/audit/rules.d</tt>:\n\n<pre>-w /etc/NetworkManager/system-connections/ -p wa -k </pre>\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following lines to\n<tt>/etc/audit/audit.rules</tt>:\n\n<pre>-w /etc/NetworkManager/system-connections/ -p wa -k </pre>", "rationale": "The network environment should not be modified by anything other\nthan administrator action. Any change to network parameters should be\naudited.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the system is not configured to audit changes of the network configuration", "ocil": "To determine if the system is configured to audit changes to its network configuration,\nrun the following command:\n<pre>auditctl -l | grep -E '/etc/NetworkManager/system-connections/'</pre>\nIf the system is configured to watch for network configuration changes, a line should\nbe returned and <tt>perm=wa</tt> should be indicated.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Record Events that Modify the System's Network Environment - /etc/NetworkManager/system-connections/", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification_etc_networkmanager_system_connections/rule.yml", "template": {"name": "audit_rules_watch", "vars": {"path": "/etc/NetworkManager/system-connections/"}, "backends": {}}}