System Audit Logs Must Be Group Owned By Root
An XCCDF Rule
Description
All audit logs must be group owned by root user. The path for audit log can
be configured via log_file parameter in
/etc/audit/auditd.confor, by default, the path for audit log is
/var/log/audit/. To properly set the group owner of
/var/log/audit/*, run the command:
$ sudo chgrp root /var/log/audit/*
Rationale
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
- ID
- xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
if LC_ALL=C grep -iw log_file /etc/audit/auditd.conf; then
FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
else