System Audit Logs Must Be Owned By Root
An XCCDF Rule
Description
All audit logs must be owned by root user. The path for audit log can be
configured via log_file parameter in
/etc/audit/auditd.confor by default, the path for audit log is
/var/log/audit/. To properly set the owner of
/var/log/audit/*, run the command:
$ sudo chown root /var/log/audit/*
Rationale
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
- ID
- xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
if LC_ALL=C grep -iw log_file /etc/audit/auditd.conf; then
FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
chown root $FILE*