System Audit Logs Must Be Group Owned By Root
An XCCDF Rule
Description
All audit logs must be group owned by root user. Determine where the audit logs are stored with the following command:
$ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.logUsing the path of the directory containing the audit logs, determine if the audit log files are owned by the "root" group by using the following command:
$ sudo stat -c "%n %G" /var/log/audit/* /var/log/audit/audit.log rootIf the audit log files are owned by a group other than "root", this is a finding. To remediate, configure the audit log directory and its underlying files to be owned by "root" group. Set the "log_group" parameter of the audit configuration file to the "root" value so when a new log file is created, its group owner is properly set:
$ sudo sed -i '/^log_group/D' /etc/audit/auditd.conf $ sudo sed -i /^log_file/a'log_group = root' /etc/audit/auditd.confLast, signal the audit daemon to reload the configuration file to update the group owners of existing files:
$ sudo systemctl kill auditd -s SIGHUP
Rationale
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
- ID
- xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit_stig
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}
' 'kernel' 2>/dev/null | grep -q installed && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
if LC_ALL=C grep -iw log_file /etc/audit/auditd.conf; then
FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')