{"description": "The Ubuntu 22.04 operating system audit tools must have the proper\npermissions configured to protected against unauthorized access.\n\nVerify it by running the following command:\n<pre>$ stat -c \"%n %a\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules\n\n/sbin/auditctl 755\n\n/sbin/aureport 755\n\n/sbin/ausearch 755\n\n/sbin/autrace 755\n\n/sbin/auditd 755\n\n/sbin/augenrules 755\n\n</pre>\n\nAudit tools needed to successfully view and manipulate audit information\nsystem activity and records. Audit tools include custom queries and report\ngenerators", "rationale": "Protecting audit information also includes identifying and protecting the\ntools used to view and manipulate log data. Therefore, protecting audit\ntools is necessary to prevent unauthorized operation on audit information.\n\nOperating systems providing tools to interface with audit information\nwill leverage user permissions and roles identifying the user accessing the\ntools and the corresponding rights the user enjoys to make access decisions\nregarding the access to audit tools.", "severity": "medium", "references": {"srg": ["SRG-OS-000256-GPOS-00097", "SRG-OS-000257-GPOS-00098"], "cis": ["6.3.4.8"], "stigid": ["UBTU-22-232035"], "stigref": ["SV-260492r991557_rule"]}, "control_references": {"cis": ["6.3.4.8"], "stigid": ["UBTU-22-232035"]}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": "Verify it by running the following command:\n<pre>$ stat -c \"%n %a\" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules\n\n/sbin/auditctl 755\n\n/sbin/aureport 755\n\n/sbin/ausearch 755\n\n/sbin/autrace 755\n\n/sbin/auditd 755\n\n/sbin/augenrules 755\n\n</pre>\nIf the command does not return all the above lines, the missing ones\nneed to be added.\n\nRun the following command to correct the permissions of the missing\nentries:\n<pre>$ sudo chmod 0755 [audit_tool] </pre>\n\nReplace \"[audit_tool]\" with the audit tool that does not have the\ncorrect permissions.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Verify that audit tools Have Mode 0755 or less", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/file_permissions_auditd/file_permissions_audit_binaries/rule.yml", "template": {"name": "file_permissions", "vars": {"filepath": ["/sbin/auditctl", "/sbin/aureport", "/sbin/ausearch", "/sbin/autrace", "/sbin/auditd", "/sbin/augenrules"], "filemode": "0755"}, "backends": {}}}