Incorrect rule for the "Ensure audit tools mode is configured" check (ID: 35755, CIS Ubuntu 24.04) #901
Description
Remediation says:
Run the following command to remove more permissive mode from the audit tools:
# chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules.
go-w means "remove write permissions from Group and Others."
If we have 0777 and run chmod go-w, we will end up with 0755.
Check, however, does not like what Remediation proposes:
r:[\w@-]+ && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
755 will fail the check.
Moreover, the rule is broken, and it will pass obviously incorrect things like 777.
The proposed fix is
rules:
- - 'c:stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:[\w@-]+ && !r:000|010|040|050|001|011|041|051|004|014|044|054|005|015|045|055|700|710|740|750|701|711|741|751|704|714|744|754|705|715|745|755'
+ - 'c:stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules -> r:\w+ && r:500|501|504|505|510|511|514|515|540|541|544|545|550|551|554|555|700|701|704|705|710|711|714|715|740|741|744|745|750|751|754|755'That is, allow [57][0145][0145] permissions:
- The owner must be able to at least read and execute (or else it does not make much sense to have the tools installed): rx (5) and rwx (7);
- The group and the others must not have write permissions; read and execute are OK: --- (0), r (1), x (4), rx (5).