{"description": "The <tt>auditd</tt> service is an essential userspace component of\nthe Linux Auditing System, as it is responsible for writing audit records to\ndisk.\n\nThe <code>auditd</code> service can be enabled with the following command:\n<pre>$ sudo systemctl enable auditd.service</pre>", "rationale": "Without establishing what type of events occurred, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or attack.\nEnsuring the <tt>auditd</tt> service is active ensures audit records\ngenerated by the kernel are appropriately recorded.\n<br /><br />\nAdditionally, a properly configured audit subsystem ensures that actions of\nindividual system users can be uniquely traced to those users so they\ncan be held accountable for their actions.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8", "9"], "cjis": ["5.4.1.1"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI08.02", "DSS01.03", "DSS01.04", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.3.1", "3.3.2", "3.3.6"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(5)(ii)(C)", "164.310(a)(2)(iv)", "164.310(d)(2)(iii)", "164.312(b)"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.6.6", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.13", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.6", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.1", "SR 6.2", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.7", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.2.1", "A.6.2.2"], "nerc-cip": ["CIP-004-6 R3.3", "CIP-007-3 R6.5"], "nist": ["AC-2(g)", "AU-3", "AU-10", "AU-2(d)", "AU-12(c)", "AU-14(1)", "AC-6(9)", "CM-6(a)", "SI-4(23)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "DE.CM-1", "DE.CM-3", "DE.CM-7", "ID.SC-4", "PR.AC-3", "PR.PT-1", "PR.PT-4", "RS.AN-1", "RS.AN-4"], "ospp": ["FAU_GEN.1"], "pcidss": ["Req-10.1"], "srg": ["SRG-OS-000062-GPOS-00031", "SRG-OS-000037-GPOS-00015", "SRG-OS-000038-GPOS-00016", "SRG-OS-000039-GPOS-00017", "SRG-OS-000040-GPOS-00018", "SRG-OS-000041-GPOS-00019", "SRG-OS-000042-GPOS-00021", "SRG-OS-000051-GPOS-00024", "SRG-OS-000054-GPOS-00025", "SRG-OS-000122-GPOS-00063", "SRG-OS-000254-GPOS-00095", "SRG-OS-000255-GPOS-00096", "SRG-OS-000337-GPOS-00129", "SRG-OS-000348-GPOS-00136", "SRG-OS-000349-GPOS-00137", "SRG-OS-000350-GPOS-00138", "SRG-OS-000351-GPOS-00139", "SRG-OS-000352-GPOS-00140", "SRG-OS-000353-GPOS-00141", "SRG-OS-000354-GPOS-00142", "SRG-OS-000358-GPOS-00145", "SRG-OS-000365-GPOS-00152", "SRG-OS-000392-GPOS-00172", "SRG-OS-000475-GPOS-00220", "SRG-APP-000095-CTR-000170", "SRG-APP-000409-CTR-000990", "SRG-APP-000508-CTR-001300", "SRG-APP-000510-CTR-001310"], "anssi": ["R33", "R73"], "cis": ["6.3.1.2"], "ism": ["1409"], "pcidss4": ["10.2.1", "10.2"], "stigid": ["UBTU-22-653015"], "stigref": ["SV-260591r1015023_rule"]}, "control_references": {"anssi": ["R33", "R73"], "cis": ["6.3.1.2"], "ism": ["1409"], "pcidss4": ["10.2.1", "10.2"], "stigid": ["UBTU-22-653015"]}, "components": [], "identifiers": {}, "ocil_clause": "the auditd service is not running", "ocil": "\n\nRun the following command to determine the current status of the\n<code>auditd</code> service:\n<pre>$ sudo systemctl is-active auditd</pre>\nIf the service is running, it should return the following: <pre>active</pre>", "oval_external_content": null, "fixtext": "To enable the auditd service run the following command:\n\n$ sudo systemctl enable --now auditd", "checktext": "", "vuldiscussion": "", "srg_requirement": "The Ubuntu 22.04 service auditd must be enabled.", "warnings": [], "conflicts": [], "requires": ["package_audit_installed"], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 audit service must be enabled.", "vuldiscussion": "Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the \"auditd\" service is active ensures audit records generated by the kernel are appropriately recorded.\n\nAdditionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.", "checktext": "Verify the audit service is configured to produce audit records with the following command:\n\n$ systemctl status auditd.service\n\nauditd.service - Security Auditing Service\nLoaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)\nActive: active (running) since Tues 2022-05-24 12:56:56 EST; 4 weeks 0 days ago\n\nIf the audit service is not \"active\" and \"running\", this is a finding.", "fixtext": "To enable the auditd service run the following command:\n\n$ sudo systemctl enable --now auditd"}}, "platform": "package[audit]", "platforms": ["package[audit]"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "service_auditd_enabled.sh", "relative_path": "ubuntu2204/checks/sce/service_auditd_enabled.sh"}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_audit"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable auditd Service", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/service_auditd_enabled/rule.yml", "template": {"name": "service_enabled", "vars": {"servicename": "auditd", "packagename": "auditd"}, "backends": {}}}