{"description": "By default, Ubuntu 22.04 ships an audit rule to disable syscall\nauditing for performance reasons.\n\nTo make sure that syscall auditing works, this line must be removed from\n<tt>/etc/audit/rules.d/audit.rules</tt> and <tt>/etc/audit/audit.rules</tt>:\n\n<pre>-a task,never</pre>", "rationale": "Audit rules for syscalls do not take effect unless this line is removed.", "severity": "medium", "references": {"srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "syscall auditing is still disabled", "ocil": "To check for the offending line, run the following command:\n<pre>$ grep task,never /etc/audit/{rules.d,.}/audit.rules</pre>\nThere must not be any output, or else these lines must be removed from\nthe matching files.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Remove Default Configuration to Disable Syscall Auditing", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml", "template": null}