System Audit Directories Must Be Group Owned By Root

An XCCDF Rule

Description

All audit directories must be group owned by root user. By default, the path for audit log is

/var/log/audit/

. To properly set the group owner of /var/log/audit, run the command:

$ sudo chgrp root /var/log/audit

If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the group ownership of the audit directories to this specific group.

Rationale

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.

ID: xccdf_org.ssgproject.content_rule_directory_group_ownership_var_log_audit
Severity: Medium
References: 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8

5.4.1.1

APO01.06 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA02.01

3.3.1

CCI-000162 CCI-000163 CCI-000164 CCI-001314

4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4

SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1

A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

AC-6(1) AU-9(4) CM-6(a)

DE.AE-3 DE.AE-5 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4

Req-10.5.1

SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029 SRG-OS-000206-GPOS-00084

RHEL-08-030110

SV-230400r627750_rule

CCE-88225-8
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-88225-8
  - CJIS-5.4.1.1  - DISA-STIG-RHEL-08-030110
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - configure_strategy
  - directory_group_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: System Audit Directories Must Be Group Owned By Root - Register Audit Configuration
    Text
  ansible.builtin.slurp:
    src: /etc/audit/auditd.conf
  register: auditd_config_slurp
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-88225-8
  - CJIS-5.4.1.1
  - DISA-STIG-RHEL-08-030110
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - configure_strategy
  - directory_group_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: System Audit Directories Must Be Group Owned By Root - Set Permissions Custom
    Location
  ansible.builtin.file:
    group: |-
      {{ auditd_config_slurp['content'] | b64decode | regex_findall('
      log_group\s*=\s*(.+)') | default(['root',], boolean=True) | first }}
    path: |-
      {{ auditd_config_slurp['content'] | b64decode | regex_findall('
      log_file\s*=\s*(.+)') | default(['/var/log/audit/audit.log',], boolean=True) | first | dirname }}
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-88225-8
  - CJIS-5.4.1.1
  - DISA-STIG-RHEL-08-030110
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - configure_strategy
  - directory_group_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then

if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
  GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
else  GROUP=root
fi
if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then
  DIR=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ' | rev | cut -d"/" -f2- | rev)
else
  DIR="/var/log/audit"
fi


find ${DIR} -type d -exec chgrp ${GROUP} {} \;

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

System Audit Directories Must Be Group Owned By Root

Description

Rationale

Remediation - Ansible

Remediation - Shell Script