{"description": "\n\n\n\nIf the auditd daemon is configured to use the augenrules\nprogram to read audit rules during daemon startup (the default), add the\nfollowing lines to a file with suffix .rules in the\ndirectory /etc/audit/rules.d:\n\n-w /etc/apparmor.d/ -p wa -k MAC-policy
\n\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following lines to\n/etc/audit/audit.rules:\n\n-w /etc/apparmor.d/ -p wa -k MAC-policy
", "rationale": "The system's mandatory access policy (Apparmor) should not be\narbitrarily changed by anything other than administrator action. All changes to\nMAC policy should be audited.", "severity": "medium", "references": {"cis": ["6.3.3.14"]}, "control_references": {"cis": ["6.3.3.14"]}, "components": [], "identifiers": {}, "ocil_clause": "the system is not configured to audit attempts to change files within the /etc/apparmor.d directory", "ocil": "\nVerify Ubuntu 22.04 generates audit records for all events that affect \"/etc/apparmor.d\" with the following command:\n\n$ sudo auditctl -l | grep /etc/apparmor.d\n\n-w /etc/apparmor.d -p wa -k MAC-policy", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Record Events that Modify the System's Mandatory Access Controls (/etc/apparmor.d)", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_etc_apparmor_d/rule.yml", "template": {"name": "audit_rules_watch", "vars": {"path": "/etc/apparmor.d", "key": "MAC-policy"}, "backends": {}}}