System Audit Logs Must Be Group Owned By Root

An XCCDF Rule

Description

All audit logs must be group owned by root user. The path for audit log can be configured via log_file parameter in

/etc/audit/auditd.conf

or, by default, the path for audit log is

/var/log/audit/

. To properly set the group owner of /var/log/audit/*, run the command:

$ sudo chgrp root /var/log/audit/*

If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the group ownership of the audit logs to this specific group.

Rationale

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.

ID: xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit
Severity: Medium
References: 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8

5.4.1.1

APO01.06 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA02.01

3.3.1

CCI-000162 CCI-000163 CCI-000164 CCI-001314

4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4

SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1

A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

AC-6(1) AU-9(4) CM-6(a)

DE.AE-3 DE.AE-5 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4

Req-10.5.1

SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029 SRG-OS-000206-GPOS-00084

4.1.4.3

10.3.2
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CJIS-5.4.1.1
  - NIST-800-171-3.3.1  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSSv4-10.3.2
  - file_group_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: System Audit Logs Must Be Group Owned By Root - Get Audit Log Files
  ansible.builtin.command: grep -iw ^log_file /etc/audit/auditd.conf
  failed_when: false
  register: log_file_exists
  when:
  - '"auditd" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.4.1.1
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSSv4-10.3.2
  - file_group_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: System Audit Logs Must Be Group Owned By Root - Set Log File Facts
  ansible.builtin.set_fact:
    log_file_line: '{{ log_file_exists.stdout | split('' '') | last }}'
  when:
  - '"auditd" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.4.1.1
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSSv4-10.3.2
  - file_group_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: System Audit Logs Must Be Group Owned By Root - Set Default log_file if Not
    Set
  ansible.builtin.set_fact:
    log_file: /var/log/audit/audit.log
  when:
  - '"auditd" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (log_file_exists is undefined) or (log_file_exists.stdout | length == 0)
  tags:
  - CJIS-5.4.1.1
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSSv4-10.3.2
  - file_group_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: System Audit Logs Must Be Group Owned By Root - Set log_file From log_file_line
    if Not Set Already
  ansible.builtin.set_fact:
    log_file: '{{ log_file_line }}'
  when:
  - '"auditd" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (log_file_line is defined) and (log_file_line | length > 0)
  tags:
  - CJIS-5.4.1.1
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSSv4-10.3.2
  - file_group_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: System Audit Logs Must Be Group Owned By Root - List All Log File Backups
  ansible.builtin.find:
    path: '{{ log_file | dirname }}'
    patterns: '{{ log_file | basename }}.*'
  register: backup_files
  when:
  - '"auditd" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.4.1.1
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSSv4-10.3.2
  - file_group_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: System Audit Logs Must Be Group Owned By Root - Apply Mode to All Backup Log
    Files
  ansible.builtin.file:
    path: '{{ item }}'
    group: root
  failed_when: false
  loop: '{{ backup_files.files| map(attribute=''path'') | list }}'
  when:
  - '"auditd" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.4.1.1
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSSv4-10.3.2
  - file_group_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: System Audit Logs Must Be Group Owned By Root - Apply Mode to Log File
  ansible.builtin.file:
    path: '{{ log_file }}'
    group: root
  failed_when: false
  when:
  - '"auditd" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.4.1.1
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSSv4-10.3.2
  - file_group_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then

if LC_ALL=C grep -iw log_file /etc/audit/auditd.conf; then
  FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
else  FILE="/var/log/audit/audit.log"
fi


if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
  GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
    if ! [ "${GROUP}" == 'root' ]; then
      chgrp ${GROUP} $FILE*
    else
      chgrp root $FILE*
    fi
else
  chgrp root $FILE*
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

System Audit Logs Must Be Group Owned By Root

Description

Rationale

Remediation - Ansible

Remediation - Shell Script