{"description": "\nTo properly set the permissions of <code>/etc/audit/auditd.conf</code>, run the command:\n<pre>$ sudo chmod 0640 /etc/audit/auditd.conf</pre>", "rationale": "Without the capability to restrict the roles and individuals that can select which events\nare audited, unauthorized personnel may be able to prevent the auditing of critical\nevents. Misconfigured audits may degrade the system's performance by overwhelming\nthe audit log. Misconfigured audits may also make it more difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify\nthose responsible for one.", "severity": "medium", "references": {"nist": ["AU-12(b)"], "srg": ["SRG-OS-000063-GPOS-00032"], "cis": ["6.3.4.5"], "stigid": ["UBTU-22-653065"], "stigref": ["SV-260601r958444_rule"]}, "control_references": {"cis": ["6.3.4.5"], "stigid": ["UBTU-22-653065"]}, "components": [], "identifiers": {}, "ocil_clause": "/etc/audit/auditd.conf does not have unix mode -rw-r-----", "ocil": "To check the permissions of <code>/etc/audit/auditd.conf</code>,\nrun the command:\n<pre>$ ls -l /etc/audit/auditd.conf</pre>\nIf properly configured, the output should indicate the following permissions:\n<code>-rw-r-----</code>", "oval_external_content": null, "fixtext": "\nTo properly set the permissions of <code>/etc/audit/auditd.conf</code>, run the command:\n<pre>$ sudo chmod 0640 /etc/audit/auditd.conf</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": " The Ubuntu 22.04 /etc/audit/auditd.conf file must have mode 0640 or less permissive to prevent unauthorized access.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access.", "vuldiscussion": "Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.", "checktext": "Verify the mode of /etc/audit/auditd.conf with the command:\n\n$ sudo stat -c \"%a %n\" /etc/audit/auditd.conf\n\n640 /etc/audit/auditd.conf\n\nIf \"/etc/audit/auditd.conf\" does not have a mode of \"0640\", this is a finding.", "fixtext": "Set the mode of /etc/audit/auditd.conf file to 0640 with the command:\n\n$ sudo chmod 0640 /etc/audit/auditd.conf"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Verify Permissions on /etc/audit/auditd.conf", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/file_permissions_auditd/file_permissions_etc_audit_auditd/rule.yml", "template": {"name": "file_permissions", "vars": {"filepath": "/etc/audit/auditd.conf", "allow_stricter_permissions": "true", "filemode": "0640"}, "backends": {}}}