{"description": "Configure audit to meet requirements for Operating System Protection Profile (OSPP) v4.2.1.\n\nAudit defines groups of rules in <tt>/usr/share/doc/audit/rules</tt> to satisfy specific policies.\n\nTo fulfill requirements for compliance with OSPP v4.2.1, the following files are necessary:\n<ul>\n<li>/usr/share/doc/audit/rules/10-base-config.rules</li>\n<li>/usr/share/doc/audit/rules/11-loginuid.rules</li>\n<li>/usr/share/doc/audit/rules/30-ospp-v42.rules</li>\n<li>/usr/share/doc/audit/rules/43-module-load.rules</li>\n</ul>\n\nCopy the files from <tt>/usr/share/doc/audit/rules</tt> to <tt>/etc/audit/rules.d</tt>:\n<pre>\ncp /usr/share/doc/audit*/rules/{10-base-config,11-loginuid,30-ospp-v42,43-module-load}.rules /etc/audit/rules.d/\n</pre>", "rationale": "The audit rules defined in <tt>/usr/share/doc/audit/rules</tt> are the recommended way to meet compliance with OSPP v4.2.1.", "severity": "medium", "references": {"nist": ["NONE"], "srg": ["SRG-OS-000004-GPOS-00004", "SRG-OS-000240-GPOS-00090", "SRG-OS-000241-GPOS-00091", "SRG-OS-000303-GPOS-00120", "SRG-OS-000476-GPOS-00221", "SRG-OS-000327-GPOS-00127", "SRG-OS-000064-GPOS-00033", "SRG-OS-000365-GPOS-00152", "SRG-OS-000458-GPOS-00203", "SRG-OS-000461-GPOS-00205", "SRG-OS-000462-GPOS-00206", "SRG-OS-000463-GPOS-00207", "SRG-OS-000465-GPOS-00209", "SRG-OS-000466-GPOS-00210", "SRG-OS-000468-GPOS-00212", "SRG-OS-000470-GPOS-00214", "SRG-OS-000471-GPOS-00215", "SRG-OS-000471-GPOS-00216", "SRG-OS-000472-GPOS-00217", "SRG-OS-000474-GPOS-00219", "SRG-OS-000475-GPOS-00220", "SRG-OS-000477-GPOS-00222"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the files are not there or differ", "ocil": "To verify that audit is configured for OSPP v4.2.1, run the following commands:\n<pre>for file in \"10-base-config\" \"11-loginuid\" \"30-ospp-v42\" \"43-module-load\";do diff /etc/audit/rules.d/$file.rules /usr/share/doc/audit*/rules/$file.rules; done</pre>\n\nIf the system is configured properly, no lines should be returned.", "oval_external_content": null, "fixtext": "Configure audit to meet requirements for OSPP v4.2.1.\n\nRun the following commands to copy all audit rules:\n\n$ sudo cp /usr/share/doc/audit*/rules/10-base-config.rules /etc/audit/rules.d\n$ sudo cp /usr/share/doc/audit*/rules/11-loginuid.rules /etc/audit/rules.d\n$ sudo cp /usr/share/doc/audit*/rules/30-ospp-v42.rules /etc/audit/rules.d\n$ sudo cp /usr/share/doc/audit*/rules/43-module-load.rules /etc/audit/rules.d\n\nThen, run the following command to load all audit rules:\n\n$ sudo augenrules --load", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"performance": "It might happen that Audit buffer configured by this rule is not large enough for certain use cases. If that is the case, the buffer size can be overridden by placing <pre>-b larger_buffer_size</pre> into a file within <tt>/etc/audit/rules.d</tt> directory, replacing <tt>larger_file_size</tt> with the desired value. The file name should start with a number higher than 10 and lower than 99."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure audit according to OSPP requirements", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/policy_rules/audit_rules_for_ospp/rule.yml", "template": null}