{"description": "The operating system file integrity tool must be configured to protect the integrity of the audit tools.", "rationale": "Protecting the integrity of the tools used for auditing purposes is a\ncritical step toward ensuring the integrity of audit information. Audit\ninformation includes all information (e.g., audit records, audit settings,\nand audit reports) needed to successfully audit information system\nactivity.\n\nAudit tools include but are not limited to vendor-provided and open-source\naudit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators.\n\nIt is not uncommon for attackers to replace the audit tools or inject code\ninto the existing tools to provide the capability to hide or erase system\nactivity from the audit logs.\n\nTo address this risk, audit tools must be cryptographically signed to\nprovide the capability to identify when the audit tools have been modified,\nmanipulated, or replaced. An example is a checksum hash of the file or\nfiles.", "severity": "medium", "references": {"nist": ["AU-9(3)", "AU-9(3).1"], "srg": ["SRG-OS-000278-GPOS-00108"], "cis": ["6.1.3"], "stigid": ["UBTU-22-651030"], "stigref": ["SV-260586r1044779_rule"]}, "control_references": {"cis": ["6.1.3"], "stigid": ["UBTU-22-651030"]}, "components": [], "identifiers": {}, "ocil_clause": "integrity checks of the audit tools are missing or incomplete", "ocil": "Check that AIDE is properly configured to protect the integrity of the\naudit tools by running the following command:\n\n<pre># sudo cat /etc/aide/aide.conf | grep /usr/sbin/au\n\n/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512\n\n</pre>\nIf AIDE is configured properly to protect the integrity of the audit tools,\nall lines listed above will be returned from the command.\n\nIf one or more lines are missing, this is a finding.", "oval_external_content": null, "fixtext": "Add or update the following lines to /etc/aide/aide.conf, to protect the integrity of the audit tools.\n\n<pre>\n/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512\n\n/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512\n\n</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must use cryptographic mechanisms to protect the integrity of audit tools.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must use cryptographic mechanisms to protect the integrity of audit tools.", "vuldiscussion": "Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nAudit tools include, but are not limited to, vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nIt is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs.\n\nTo address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.", "checktext": "Check that AIDE is properly configured to protect the integrity of the audit tools with the following command:\n\n$ sudo grep /usr/bin/au /etc/aide.conf\n\n/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512\n\nIf AIDE is not installed, ask the system administrator (SA) how file integrity checks are performed on the system.\n\nIf any of the audit tools listed above do not have a corresponding line, ask the SA to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools.\n\nIf there is no evidence of integrity protection, this is a finding.", "fixtext": "Add or update the following lines to \"/etc/aide.conf\", to protect the integrity of the audit tools.\n\n/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512\n/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure AIDE to Verify the Audit Tools", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml", "template": null}