Detections
Analytics

1.150 UBTU-24-900220

Information

The operating system must generate audit records for successful/unsuccessful uses of the apparmor_parser command.

GROUP ID: V-270793
RULE ID: SV-270793r1066868

Solution

Configure the audit system to generate an audit event for any successful/unsuccessful use of the "apparmor_parser" command.

Add or modify the following line in the "/etc/audit/rules.d/stig.rules" file:

-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng

To reload the rules file, issue the following command:

$ sudo augenrules --load

Note: The "-k " at the end of the line gives the rule a unique meaning to help during an audit investigation. The does not need to match the example above.

See Also

https://workbench.cisecurity.org/benchmarks/22775

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CAT|II, CCI|CCI-000172, CSCv7|5.5, Rule-ID|SV-270793r1066868_rule, STIG-ID|UBTU-24-900220, Vuln-ID|V-270793

Plugin: Unix

Control ID: 097ba6c13d8dba5a1f5fe4142ca7ed5ba6c58c1072f9dd43ccd3aecb95e42bd0