Red Hat Enterprise Linux 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Audit tools must have the correct group owner.
Rationale
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data.
Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.
- name: Test for existence /sbin/auditctl
stat:
path: /sbin/auditctl
register: file_exists
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86240-9
- DISA-STIG-RHEL-09-232225
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner 0 on /sbin/auditctl
file:
path: /sbin/auditctl
group: '0'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86240-9
- DISA-STIG-RHEL-09-232225
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/aureport
stat:
path: /sbin/aureport
register: file_exists
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86240-9
- DISA-STIG-RHEL-09-232225
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner 0 on /sbin/aureport
file:
path: /sbin/aureport
group: '0'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86240-9
- DISA-STIG-RHEL-09-232225
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/ausearch
stat:
path: /sbin/ausearch
register: file_exists
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86240-9
- DISA-STIG-RHEL-09-232225
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner 0 on /sbin/ausearch
file:
path: /sbin/ausearch
group: '0'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86240-9
- DISA-STIG-RHEL-09-232225
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/autrace
stat:
path: /sbin/autrace
register: file_exists
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86240-9
- DISA-STIG-RHEL-09-232225
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner 0 on /sbin/autrace
file:
path: /sbin/autrace
group: '0'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86240-9
- DISA-STIG-RHEL-09-232225
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/auditd
stat:
path: /sbin/auditd
register: file_exists
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86240-9
- DISA-STIG-RHEL-09-232225
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner 0 on /sbin/auditd
file:
path: /sbin/auditd
group: '0'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86240-9
- DISA-STIG-RHEL-09-232225
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/rsyslogd
stat:
path: /sbin/rsyslogd
register: file_exists
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86240-9
- DISA-STIG-RHEL-09-232225
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner 0 on /sbin/rsyslogd
file:
path: /sbin/rsyslogd
group: '0'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86240-9
- DISA-STIG-RHEL-09-232225
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/augenrules
stat:
path: /sbin/augenrules
register: file_exists
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86240-9
- DISA-STIG-RHEL-09-232225
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner 0 on /sbin/augenrules
file:
path: /sbin/augenrules
group: '0'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86240-9
- DISA-STIG-RHEL-09-232225
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_group_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
chgrp 0 /sbin/auditctl
chgrp 0 /sbin/aureport
chgrp 0 /sbin/ausearch
chgrp 0 /sbin/autrace
chgrp 0 /sbin/auditd
chgrp 0 /sbin/rsyslogd
chgrp 0 /sbin/augenrules
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi