{"description": "The Ubuntu 22.04 operating system must generate audit records for\nprivileged activities, nonlocal maintenance, diagnostic sessions and\nother system-level access.\n\nVerify the operating system audits activities performed during nonlocal\nmaintenance and diagnostic sessions. Run the following command:\n<pre>$ sudo auditctl -l | grep sudo.log\n-w /var/log/sudo.log -p wa -k maintenance</pre>\n\n\n\n\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add the\nfollowing lines to a file with suffix <tt>.rules</tt> in the\ndirectory <tt>/etc/audit/rules.d</tt>:\n\n<pre>-w /var/log/sudo.log -p wa -k maintenance</pre>\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following lines to\n<tt>/etc/audit/audit.rules</tt>:\n\n<pre>-w /var/log/sudo.log -p wa -k maintenance</pre>", "rationale": "If events associated with nonlocal administrative access or diagnostic\nsessions are not logged, a major tool for assessing and investigating\nattacks would not be available.\nThis requirement addresses auditing-related issues associated with\nmaintenance tools used specifically for diagnostic and repair actions\non organizational information systems.\nNonlocal maintenance and diagnostic activities are those activities\nconducted by individuals communicating through a network, either an\nexternal network (e.g., the internet) or an internal network. Local\nmaintenance and diagnostic activities are those activities carried\nout by individuals physically present at the information system or\ninformation system component and not communicating across a network\nconnection.\nThis requirement applies to hardware/software diagnostic test\nequipment or tools. This requirement does not cover hardware/software\ncomponents that may support information system maintenance, yet are a\npart of the system, for example, the software implementing \"ping,\"\n\"ls,\" \"ipconfig,\" or the hardware and software implementing the\nmonitoring port of an Ethernet switch.", "severity": "medium", "references": {"pcidss": ["Req-10.2.2", "Req-10.2.5.b"], "srg": ["SRG-OS-000392-GPOS-00172", "SRG-OS-000471-GPOS-00215"], "anssi": ["R73"], "cis": ["6.3.3.3"], "pcidss4": ["10.2.1.3", "10.2.1", "10.2"], "stigid": ["UBTU-22-654235"], "stigref": ["SV-260649r986298_rule"]}, "control_references": {"anssi": ["R73"], "cis": ["6.3.3.3"], "pcidss4": ["10.2.1.3", "10.2.1", "10.2"], "stigid": ["UBTU-22-654235"]}, "components": [], "identifiers": {}, "ocil_clause": "Audit rule is not present", "ocil": "\nVerify Ubuntu 22.04 generates audit records for all events that affect \"/var/log/sudo.log\" with the following command:\n\n$ sudo auditctl -l | grep /var/log/sudo.log\n\n-w /var/log/sudo.log -p wa -k maintenance", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Record Attempts to perform maintenance activities", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_sudo_log_events/rule.yml", "template": {"name": "audit_rules_watch", "vars": {"path": "/var/log/sudo.log", "key": "maintenance"}, "backends": {}}}