Verify Permissions on /etc/audit/auditd.conf

Docs > Datadog Security > OOTB Rules > Verify Permissions on /etc/audit/auditd.conf

Classification:

compliance

Framework:

Control:

Description

To properly set the permissions of /etc/audit/auditd.conf, run the command:

$ sudo chmod 0640 /etc/audit/auditd.conf

Rationale

Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system’s performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

chmod u-xs,g-xws,o-xwrt /etc/audit/auditd.conf

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Test for existence /etc/audit/auditd.conf
 stat:
 path: /etc/audit/auditd.conf
 register: file\_exists
 tags:
 - NIST-800-53-AU-12(b)
 - configure\_strategy
 - file\_permissions\_etc\_audit\_auditd
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure permission u-xs,g-xws,o-xwrt on /etc/audit/auditd.conf
 file:
 path: /etc/audit/auditd.conf
 mode: u-xs,g-xws,o-xwrt
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - NIST-800-53-AU-12(b)
 - configure\_strategy
 - file\_permissions\_etc\_audit\_auditd
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed