System Audit Directories Must Be Group Owned By Root

An XCCDF Rule

Description

All audit directories must be group owned by root user. By default, the path for audit log is

/var/log/audit/

. To properly set the group owner of /var/log/audit, run the command:

$ sudo chgrp root /var/log/audit

Rationale

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.

ID: xccdf_org.ssgproject.content_rule_directory_group_ownership_var_log_audit
Severity: Medium
References: 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8

5.4.1.1

APO01.06 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA02.01

3.3.1

CCI-000162 CCI-000163 CCI-000164 CCI-001314

4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4

SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1

A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

AC-6(1) AU-9(4) CM-6(a)

DE.AE-3 DE.AE-5 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4

Req-10.5.1

SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029 SRG-OS-000206-GPOS-00084

OL08-00-030110

SV-248736r958434_rule
Updated: about 1 month ago

Remediation Templates

# Remediation is applicable only in certain platforms
if rpm --quiet -q audit && rpm --quiet -q kernel; then
if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
  GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
else
  GROUP=rootfi
if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then
  DIR=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ' | rev | cut -d"/" -f2- | rev)
else
  DIR="/var/log/audit"
fi


GROUP="root"

find ${DIR} -type d -exec chgrp ${GROUP} {} \;

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CJIS-5.4.1.1
  - DISA-STIG-OL08-00-030110  - NIST-800-171-3.3.1
  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - configure_strategy
  - directory_group_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
- name: System Audit Directories Must Be Group Owned By Root - Register Audit Configuration
    Text
  ansible.builtin.slurp:
    src: /etc/audit/auditd.conf
  register: auditd_config_slurp
  when:
  - '"audit" in ansible_facts.packages'
  - '"kernel" in ansible_facts.packages'
  tags:
  - CJIS-5.4.1.1
  - DISA-STIG-OL08-00-030110
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - configure_strategy
  - directory_group_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: System Audit Directories Must Be Group Owned By Root - Set Permissions Custom
    Location
  ansible.builtin.file:
    group: |-
      {{ auditd_config_slurp['content'] | b64decode | regex_findall('
      log_group\s*=\s*(.+)') | default(['root',], boolean=True) | first }}
    path: |-
      {{ auditd_config_slurp['content'] | b64decode | regex_findall('
      log_file\s*=\s*(.+)') | default(['/var/log/audit/audit.log',], boolean=True) | first | dirname }}
  when:
  - '"audit" in ansible_facts.packages'
  - '"kernel" in ansible_facts.packages'
  tags:
  - CJIS-5.4.1.1
  - DISA-STIG-OL08-00-030110
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - configure_strategy
  - directory_group_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

System Audit Directories Must Be Group Owned By Root

Description

Rationale

Remediation Templates

A Shell Script

An Ansible Snippet