STIGQter: STIG Summary: Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 10 Mar 2021:

The Ubuntu operating system must be configured so that audit configuration files are not write-accessible by unauthorized users.

DISA Rule

SV-238249r653922_rule

Vulnerability Number

V-238249

Group Title

SRG-OS-000063-GPOS-00032

Rule Version

UBTU-20-010133

Severity

CAT II

CCI(s)

• CCI-000171 - The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system.

Weight

10

Fix Recommendation

Configure "/etc/audit/audit.rules", "/etc/audit/rules.d/*", and "/etc/audit/auditd.conf" files to have a mode of "0640" by using the following command:

$ sudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*

Check Contents

Verify that "/etc/audit/audit.rules", "/etc/audit/rules.d/*", and "/etc/audit/auditd.conf" files have a mode of "0640" or less permissive by using the following command:

$ sudo ls -al /etc/audit/ /etc/audit/rules.d/

/etc/audit/:

-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf

-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules

-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev

-rw-r----- 1 root root 127 Feb 7 2018 audit-stop.rules

drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d

/etc/audit/rules.d/:

-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules

If "/etc/audit/audit.rule","/etc/audit/rules.d/*", or "/etc/audit/auditd.conf" file have a mode more permissive than "0640", this is a finding.

Vulnerability Number

V-238249

Documentable

False

Rule Version

UBTU-20-010133

Severity Override Guidance

Verify that "/etc/audit/audit.rules", "/etc/audit/rules.d/*", and "/etc/audit/auditd.conf" files have a mode of "0640" or less permissive by using the following command:

$ sudo ls -al /etc/audit/ /etc/audit/rules.d/

/etc/audit/:

-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf

-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules

-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev

-rw-r----- 1 root root 127 Feb 7 2018 audit-stop.rules

drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d

/etc/audit/rules.d/:

-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules

If "/etc/audit/audit.rule","/etc/audit/rules.d/*", or "/etc/audit/auditd.conf" file have a mode more permissive than "0640", this is a finding.

Check Content Reference

M

Target Key

5318

Comments