{"description": "Auditing the systemd journal files provides logging that can be used for\nforensic purposes. Verify the system generates audit records for all events\nthat affect \"/var/log/journal\" by using the following command:\n\n<pre>\n$ sudo auditctl -l | grep journal\n-w /var/log/journal/ -p wa -k systemd_journal\n</pre>\n\nIf the command does not return a line that matches the example or the line\nis commented out, this is a finding.\n\nNote: The \"-k\" value is arbitrary and can be different from the example\noutput above.\n\n\n\n\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add the\nfollowing lines to a file with suffix <tt>.rules</tt> in the\ndirectory <tt>/etc/audit/rules.d</tt>:\n\n<pre>-w /var/log/journal -p wa -k systemd_journal</pre>\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following lines to\n<tt>/etc/audit/audit.rules</tt>:\n\n<pre>-w /var/log/journal -p wa -k systemd_journal</pre>", "rationale": "Once an attacker establishes access to a system, the attacker often attempts\nto create a persistent method of reestablishing access. One way to accomplish\nthis is for the attacker to modify system level binaries and their operation.\nAuditing the systemd journal files provides logging that can be used for\nforensic purposes.", "severity": "medium", "references": {"stigid": ["UBTU-22-654190"], "stigref": ["SV-260640r991589_rule"]}, "control_references": {"stigid": ["UBTU-22-654190"]}, "components": [], "identifiers": {}, "ocil_clause": "the command does not return a line, or the line is commented out", "ocil": "\nVerify Ubuntu 22.04 generates audit records for all events that affect \"/var/log/journal\" with the following command:\n\n$ sudo auditctl -l | grep /var/log/journal\n\n-w /var/log/journal -p wa -k systemd_journal", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to generate audit records for all account creations, modifications, disabling, and termination events that <tt>\"/var/log/journal/\"</tt>.\nAdd or update the following file system rule to <tt>\"/etc/audit/rules.d/audit.rules\"</tt>:\n-w /var/log/journal/ -p wa -k systemd_journal\n\nThe audit daemon must be restarted for the changes to take effect. ", "checktext": "", "vuldiscussion": "", "srg_requirement": " Ubuntu 22.04 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/journal/.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure auditd Collects records for events that affect \"/var/log/journal\"", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_rules_var_log_journal/rule.yml", "template": {"name": "audit_rules_watch", "vars": {"path": "/var/log/journal/", "key": "systemd_journal"}, "backends": {}}}