System Audit Directories Must Be Group Owned By Root
An XCCDF Rule
Description
All audit directories must be group owned by root user. By default, the path for audit log is
/var/log/audit/. To properly set the group owner of
/var/log/audit
, run the command:
$ sudo chgrp root /var/log/auditIf
log_group
in /etc/audit/auditd.conf
is set to a group other than the root
group account, change the group ownership of the audit directories to this specific group.
Rationale
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
- ID
- xccdf_org.ssgproject.content_rule_directory_group_ownership_var_log_audit
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CJIS-5.4.1.1
- NIST-800-171-3.3.1
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
else