{"description": "All audit configuration files must be owned by group root.\n<pre>chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*</pre>", "rationale": "Without the capability to restrict which roles and individuals can\nselect which events are audited, unauthorized personnel may be able\nto prevent the auditing of critical events.\nMisconfigured audits may degrade the system's performance by\noverwhelming the audit log. Misconfigured audits may also make it more\ndifficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible for one.", "severity": "medium", "references": {"srg": ["SRG-OS-000063-GPOS-00032"], "cis": ["6.3.4.7"], "stigid": ["UBTU-22-653075"], "stigref": ["SV-260603r958444_rule"]}, "control_references": {"cis": ["6.3.4.7"], "stigid": ["UBTU-22-653075"]}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": "\nTo properly set the group owner of <code>/etc/audit/</code>, run the command:\n\n  <pre>$ sudo chgrp root /etc/audit/</pre>\n  \n\n\nTo properly set the group owner of <code>/etc/audit/rules.d/</code>, run the command:\n\n  <pre>$ sudo chgrp root /etc/audit/rules.d/</pre>\n  ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 \"/etc/audit/\" must be group-owned by root.", "fixtext": "Change the group of the file \"/etc/audit/\" to \"root\" by running the following command:\n\n$ sudo chgrp root /etc/audit/", "checktext": "Verify the group ownership of the \"/etc/audit/\" directory with the following command:\n\n$ sudo stat -c \"%G %n\" /etc/audit/\n\nroot /etc/audit/\n\nIf \"/etc/audit/\" does not have a group owner of \"root\", this is a finding.", "vuldiscussion": "The \"/etc/audit/\" directory contains files that ensure the proper auditing of command execution, privilege escalation, file manipulation, and more. Protection of this directory is critical for system security."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Audit Configuration Files Must Be Owned By Group root", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/file_groupownership_audit_configuration/rule.yml", "template": {"name": "file_groupowner", "vars": {"filepath": ["/etc/audit/", "/etc/audit/rules.d/"], "file_regex": ["^.*audit(\\.rules|d\\.conf)$", "^.*\\.rules$"], "gid_or_name": "0"}, "backends": {}}}