Audit Tools Must Be Group-owned by Root

An XCCDF Rule

Description

Oracle Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Audit tools must have the correct group owner.

Rationale

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.

ID: xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership
Severity: Medium
References: CCI-001493 CCI-001494 CCI-001495

AU-9

SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099

OL08-00-030640

SV-248809r779993_rule
Updated: about 1 year ago

- name: Test for existence /sbin/auditctl
  stat:
    path: /sbin/auditctl
  register: file_exists
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:  - DISA-STIG-OL08-00-030640
  - NIST-800-53-AU-9
  - configure_strategy
  - file_audit_tools_group_ownership
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner 0 on /sbin/auditctl
  file:
    path: /sbin/auditctl
    group: '0'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - file_exists.stat is defined and file_exists.stat.exists
  tags:
  - DISA-STIG-OL08-00-030640
  - NIST-800-53-AU-9
  - configure_strategy
  - file_audit_tools_group_ownership
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Test for existence /sbin/aureport
  stat:
    path: /sbin/aureport
  register: file_exists
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-OL08-00-030640
  - NIST-800-53-AU-9
  - configure_strategy
  - file_audit_tools_group_ownership
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner 0 on /sbin/aureport
  file:
    path: /sbin/aureport
    group: '0'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - file_exists.stat is defined and file_exists.stat.exists
  tags:
  - DISA-STIG-OL08-00-030640
  - NIST-800-53-AU-9
  - configure_strategy
  - file_audit_tools_group_ownership
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Test for existence /sbin/ausearch
  stat:
    path: /sbin/ausearch
  register: file_exists
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-OL08-00-030640
  - NIST-800-53-AU-9
  - configure_strategy
  - file_audit_tools_group_ownership
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner 0 on /sbin/ausearch
  file:
    path: /sbin/ausearch
    group: '0'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - file_exists.stat is defined and file_exists.stat.exists
  tags:
  - DISA-STIG-OL08-00-030640
  - NIST-800-53-AU-9
  - configure_strategy
  - file_audit_tools_group_ownership
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Test for existence /sbin/autrace
  stat:
    path: /sbin/autrace
  register: file_exists
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-OL08-00-030640
  - NIST-800-53-AU-9
  - configure_strategy
  - file_audit_tools_group_ownership
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner 0 on /sbin/autrace
  file:
    path: /sbin/autrace
    group: '0'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - file_exists.stat is defined and file_exists.stat.exists
  tags:
  - DISA-STIG-OL08-00-030640
  - NIST-800-53-AU-9
  - configure_strategy
  - file_audit_tools_group_ownership
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Test for existence /sbin/auditd
  stat:
    path: /sbin/auditd
  register: file_exists
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-OL08-00-030640
  - NIST-800-53-AU-9
  - configure_strategy
  - file_audit_tools_group_ownership
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner 0 on /sbin/auditd
  file:
    path: /sbin/auditd
    group: '0'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - file_exists.stat is defined and file_exists.stat.exists
  tags:
  - DISA-STIG-OL08-00-030640
  - NIST-800-53-AU-9
  - configure_strategy
  - file_audit_tools_group_ownership
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Test for existence /sbin/rsyslogd
  stat:
    path: /sbin/rsyslogd
  register: file_exists
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-OL08-00-030640
  - NIST-800-53-AU-9
  - configure_strategy
  - file_audit_tools_group_ownership
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner 0 on /sbin/rsyslogd
  file:
    path: /sbin/rsyslogd
    group: '0'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - file_exists.stat is defined and file_exists.stat.exists
  tags:
  - DISA-STIG-OL08-00-030640
  - NIST-800-53-AU-9
  - configure_strategy
  - file_audit_tools_group_ownership
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Test for existence /sbin/augenrules
  stat:
    path: /sbin/augenrules
  register: file_exists
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-OL08-00-030640
  - NIST-800-53-AU-9
  - configure_strategy
  - file_audit_tools_group_ownership
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner 0 on /sbin/augenrules
  file:
    path: /sbin/augenrules
    group: '0'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - file_exists.stat is defined and file_exists.stat.exists
  tags:
  - DISA-STIG-OL08-00-030640
  - NIST-800-53-AU-9
  - configure_strategy
  - file_audit_tools_group_ownership
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

chgrp 0 /sbin/auditctl
chgrp 0 /sbin/aureport
chgrp 0 /sbin/ausearchchgrp 0 /sbin/autrace
chgrp 0 /sbin/auditd
chgrp 0 /sbin/rsyslogd
chgrp 0 /sbin/augenrules

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Audit Tools Must Be Group-owned by Root

Description

Rationale

Remediation - Ansible

Remediation - Shell Script