{"description": "The audit system should collect access events to read audit log directory.\nThe following audit rule will assure that access to audit log directory are\ncollected.\nSet ARCH to either b32 for 32-bit system, or have two lines for both b32 and b64 in case your system is 64-bit.\n<pre>-a always,exit -F arch=ARCH -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail</pre>\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add the\nrule to a file with suffix <tt>.rules</tt> in the directory\n<tt>/etc/audit/rules.d</tt>.\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the rule to\n<tt>/etc/audit/audit.rules</tt> file.", "rationale": "Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.\nAuditing these events could serve as evidence of potential system compromise.'", "severity": "medium", "references": {"nist": ["AU-2(d)", "AU-12(c)", "AC-6(9)", "CM-6(a)"], "pcidss4": ["10.3.1", "10.3"]}, "control_references": {"pcidss4": ["10.3.1", "10.3"]}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit accesses to\n<code>/var/log/audit</code> directory, run the following command:\n<pre space=\"preserve\">$ sudo grep \"dir=/var/log/audit\" /etc/audit/audit.rules</pre>\nIf the system is configured to audit this activity, it will return a line.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Record Access Events to Audit Log Directory", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml", "template": null}