{"description": "The SUSE operating system audit tools must have the proper permissions\nconfigured to protect against unauthorized access.\n\nCheck that \"permissions.local\" file contains the correct permissions rules\nwith the following command:\n\n<pre>grep \"^/usr/sbin/au\" /etc/permissions.local\n\n/usr/sbin/audispd root:root 0750\n/usr/sbin/auditctl root:root 0750\n/usr/sbin/auditd root:root 0750\n/usr/sbin/ausearch root:root 0755\n/usr/sbin/aureport root:root 0755\n/usr/sbin/autrace root:root 0750\n/usr/sbin/augenrules root:root 0750\n</pre>\n\nAudit tools include but are not limited to vendor-provided and open-source\naudit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.", "rationale": "Protecting audit information also includes identifying and protecting the\ntools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\nSUSE operating systems providing tools to interface with audit information\nwill leverage user permissions and roles identifying the user accessing the\ntools and the corresponding rights the user enjoys to make access decisions\nregarding the access to audit tools.", "severity": "medium", "references": {"srg": ["SRG-OS-000256-GPOS-00097", "SRG-OS-000257-GPOS-00098", "SRG-OS-000258-GPOS-00099"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": "Check that <tt>permissions.local</tt> file contains the correct permissions\nrules with the following command:\n\n<pre>grep \"^/usr/sbin/au\" /etc/permissions.local\n\n/usr/sbin/audispd root:root 0750\n/usr/sbin/auditctl root:root 0750\n/usr/sbin/auditd root:root 0750\n/usr/sbin/ausearch root:root 0755\n/usr/sbin/aureport root:root 0755\n/usr/sbin/autrace root:root 0750\n/usr/sbin/augenrules root:root 0750\n</pre>\n\nIf the command does not return all the above lines, the missing ones need\nto be added.\n\nRun the following command to correct the permissions after adding missing\nentries:\n\n<pre># sudo chkstat --set --system</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Verify Permissions of Local Logs of audit Tools", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml", "template": null}