{"description": "\n\n\nAt a minimum, the audit system should collect the execution of privileged\ncommands for all users and root.\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add\na line of the following form to a file with suffix <tt>.rules</tt>\nin the directory <tt>/etc/audit/rules.d</tt>:\n<pre>-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add a line of the\nfollowing form to <tt>/etc/audit/audit.rules</tt>:\n<pre>-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>", "rationale": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify\nthose responsible for one.\nAudit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "severity": "medium", "references": {"srg": ["SRG-OS-000064-GPOS-00033"], "stigid": ["UBTU-22-654010"], "stigref": ["SV-260604r958446_rule"]}, "control_references": {"stigid": ["UBTU-22-654010"]}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": "To verify that execution of the command is being audited, run the following command:\n<pre>sudo auditctl -l | grep apparmor_parser</pre>\nThe output should return something similar to:\n<pre>-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Record Any Attempts to Run apparmor_parser", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_apparmor_parser/rule.yml", "template": {"name": "audit_rules_privileged_commands", "vars": {"path": "/sbin/apparmor_parser"}, "backends": {}}}