Verify that audit tools Have Mode 0755 or less

Docs > Datadog Security > OOTB Rules > Verify that audit tools Have Mode 0755 or less

Classification:

compliance

Framework:

Control:

Description

The Ubuntu 22.04 operating system audit tools must have the proper permissions configured to protected against unauthorized access.

Verify it by running the following command:

$ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules

/sbin/auditctl 755
/sbin/aureport 755
/sbin/ausearch 755
/sbin/autrace 755
/sbin/auditd 755
/sbin/audispd 755
/sbin/augenrules 755

Audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators

Rationale

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.

Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

chmod u-s,g-ws,o-wt /sbin/auditctl

chmod u-s,g-ws,o-wt /sbin/aureport

chmod u-s,g-ws,o-wt /sbin/ausearch

chmod u-s,g-ws,o-wt /sbin/autrace

chmod u-s,g-ws,o-wt /sbin/auditd

chmod u-s,g-ws,o-wt /sbin/audispd

chmod u-s,g-ws,o-wt /sbin/augenrules

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Test for existence /sbin/auditctl
 stat:
 path: /sbin/auditctl
 register: file\_exists
 tags:
 - configure\_strategy
 - file\_permissions\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure permission u-s,g-ws,o-wt on /sbin/auditctl
 file:
 path: /sbin/auditctl
 mode: u-s,g-ws,o-wt
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - configure\_strategy
 - file\_permissions\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Test for existence /sbin/aureport
 stat:
 path: /sbin/aureport
 register: file\_exists
 tags:
 - configure\_strategy
 - file\_permissions\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure permission u-s,g-ws,o-wt on /sbin/aureport
 file:
 path: /sbin/aureport
 mode: u-s,g-ws,o-wt
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - configure\_strategy
 - file\_permissions\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Test for existence /sbin/ausearch
 stat:
 path: /sbin/ausearch
 register: file\_exists
 tags:
 - configure\_strategy
 - file\_permissions\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure permission u-s,g-ws,o-wt on /sbin/ausearch
 file:
 path: /sbin/ausearch
 mode: u-s,g-ws,o-wt
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - configure\_strategy
 - file\_permissions\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Test for existence /sbin/autrace
 stat:
 path: /sbin/autrace
 register: file\_exists
 tags:
 - configure\_strategy
 - file\_permissions\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure permission u-s,g-ws,o-wt on /sbin/autrace
 file:
 path: /sbin/autrace
 mode: u-s,g-ws,o-wt
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - configure\_strategy
 - file\_permissions\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Test for existence /sbin/auditd
 stat:
 path: /sbin/auditd
 register: file\_exists
 tags:
 - configure\_strategy
 - file\_permissions\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure permission u-s,g-ws,o-wt on /sbin/auditd
 file:
 path: /sbin/auditd
 mode: u-s,g-ws,o-wt
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - configure\_strategy
 - file\_permissions\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Test for existence /sbin/audispd
 stat:
 path: /sbin/audispd
 register: file\_exists
 tags:
 - configure\_strategy
 - file\_permissions\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure permission u-s,g-ws,o-wt on /sbin/audispd
 file:
 path: /sbin/audispd
 mode: u-s,g-ws,o-wt
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - configure\_strategy
 - file\_permissions\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Test for existence /sbin/augenrules
 stat:
 path: /sbin/augenrules
 register: file\_exists
 tags:
 - configure\_strategy
 - file\_permissions\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure permission u-s,g-ws,o-wt on /sbin/augenrules
 file:
 path: /sbin/augenrules
 mode: u-s,g-ws,o-wt
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - configure\_strategy
 - file\_permissions\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed