All audit logs must be group owned by root user.
Determine where the audit logs are stored with the following command:
$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Using the path of the directory containing the audit logs, determine if the audit log files
are owned by the "root" group by using the following command:
$ sudo stat -c "%n %G" /var/log/audit/*
/var/log/audit/audit.log root
If the audit log files are owned by a group other than "root", this is a finding.
To remediate, configure the audit log directory and its underlying files to be owned by "root"
group.
Set the "log_group" parameter of the audit configuration file to the "root" value so when a
new log file is created, its group owner is properly set:
$ sudo sed -i '/^log_group/D' /etc/audit/auditd.conf
$ sudo sed -i /^log_file/a'log_group = root' /etc/audit/auditd.conf
Last, signal the audit daemon to reload the configuration file to update the group owners
of existing files:
$ sudo systemctl kill auditd -s SIGHUP