STIGQter: STIG Summary: Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 10 Mar 2021:

The Ubuntu operating system must permit only authorized accounts to own the audit configuration files.

DISA Rule

SV-238250r653925_rule

Vulnerability Number

V-238250

Group Title

SRG-OS-000063-GPOS-00032

Rule Version

UBTU-20-010134

Severity

CAT II

CCI(s)

• CCI-000171 - The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system.

Weight

10

Fix Recommendation

Configure "/etc/audit/audit.rules", "/etc/audit/rules.d/*" and "/etc/audit/auditd.conf" files to be owned by root user by using the following command:

$ sudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*

Check Contents

Verify that "/etc/audit/audit.rules", "/etc/audit/rules.d/*" and "/etc/audit/auditd.conf" files are owned by root account by using the following command:

$ sudo ls -al /etc/audit/ /etc/audit/rules.d/

/etc/audit/:

drwxr-x--- 3 root root 4096 Nov 25 11:02 .

drwxr-xr-x 130 root root 12288 Dec 19 13:42 ..

-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf

-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules

-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev

-rw-r----- 1 root root 127 Feb 7 2018 audit-stop.rules

drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d

/etc/audit/rules.d/:

drwxr-x--- 2 root root 4096 Dec 27 09:56 .

drwxr-x--- 3 root root 4096 Nov 25 11:02 ..

-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules

If the "/etc/audit/audit.rules", "/etc/audit/rules.d/*", or "/etc/audit/auditd.conf" file is owned by a user other than "root", this is a finding.

Vulnerability Number

V-238250

Documentable

False

Rule Version

UBTU-20-010134

Severity Override Guidance

Verify that "/etc/audit/audit.rules", "/etc/audit/rules.d/*" and "/etc/audit/auditd.conf" files are owned by root account by using the following command:

$ sudo ls -al /etc/audit/ /etc/audit/rules.d/

/etc/audit/:

drwxr-x--- 3 root root 4096 Nov 25 11:02 .

drwxr-xr-x 130 root root 12288 Dec 19 13:42 ..

-rw-r----- 1 root root 804 Nov 25 11:01 auditd.conf

-rw-r----- 1 root root 9128 Dec 27 09:56 audit.rules

-rw-r----- 1 root root 9373 Dec 27 09:56 audit.rules.prev

-rw-r----- 1 root root 127 Feb 7 2018 audit-stop.rules

drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d

/etc/audit/rules.d/:

drwxr-x--- 2 root root 4096 Dec 27 09:56 .

drwxr-x--- 3 root root 4096 Nov 25 11:02 ..

-rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules

If the "/etc/audit/audit.rules", "/etc/audit/rules.d/*", or "/etc/audit/auditd.conf" file is owned by a user other than "root", this is a finding.

Check Content Reference

M

Target Key

5318

Comments