{"description": "All audit configuration files must be owned by root user.\n\nTo properly set the owner of <code>/etc/audit/</code>, run the command:\n\n  <pre>$ sudo chown root /etc/audit/ </pre>\n  \n\n\nTo properly set the owner of <code>/etc/audit/rules.d/</code>, run the command:\n\n  <pre>$ sudo chown root /etc/audit/rules.d/ </pre>\n  ", "rationale": "Without the capability to restrict which roles and individuals can\nselect which events are audited, unauthorized personnel may be able\nto prevent the auditing of critical events.\nMisconfigured audits may degrade the system's performance by\noverwhelming the audit log. Misconfigured audits may also make it more\ndifficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible for one.", "severity": "medium", "references": {"srg": ["SRG-OS-000063-GPOS-00032"], "cis": ["6.3.4.6"], "stigid": ["UBTU-22-653070"], "stigref": ["SV-260602r958444_rule"]}, "control_references": {"cis": ["6.3.4.6"], "stigid": ["UBTU-22-653070"]}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": "\nTo properly set the owner of <code>/etc/audit/</code>, run the command:\n\n  <pre>$ sudo chown root /etc/audit/ </pre>\n  \n\n\nTo properly set the owner of <code>/etc/audit/rules.d/</code>, run the command:\n\n  <pre>$ sudo chown root /etc/audit/rules.d/ </pre>\n  ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 \"/etc/audit/\" must be owned by root.", "fixtext": "Change the owner of the file \"/etc/audit/\" to \"root\" by running the following command:\n\n$ sudo chown root /etc/audit/", "checktext": "Verify the ownership of the \"/etc/audit/\" directory with the following command:\n\n$ sudo stat -c \"%U %n\" /etc/audit/\n\nroot /etc/audit/\n\nIf the \"/etc/audit/\" directory does not have an owner of \"root\", this is a finding.", "vuldiscussion": "The \"/etc/audit/\" directory contains files that ensure the proper auditing of command execution, privilege escalation, file manipulation, and more. Protection of this directory is critical for system security."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Audit Configuration Files Must Be Owned By Root", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml", "template": {"name": "file_owner", "vars": {"filepath": ["/etc/audit/", "/etc/audit/rules.d/"], "file_regex": ["^.*audit(\\.rules|d\\.conf)$", "^.*\\.rules$"], "uid_or_name": "0"}, "backends": {}}}