System Audit Logs Must Be Owned By Root

An XCCDF Rule

Description

All audit logs must be owned by root user and group. By default, the path for audit log is

/var/log/audit/

. To properly set the owner of /var/log/audit, run the command:

$ sudo chown root /var/log/audit

To properly set the owner of /var/log/audit/*, run the command:

$ sudo chown root /var/log/audit/*

Rationale

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.

ID: xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit
Severity: Medium
References: 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8

5.4.1.1

APO01.06 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA02.01

3.3.1

CCI-000162 CCI-000163 CCI-000164 CCI-001314

4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4

SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1

A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

CIP-003-8 R5.1.1 CIP-003-8 R5.3 CIP-004-6 R2.3 CIP-007-3 R2.1 CIP-007-3 R2.2 CIP-007-3 R2.3 CIP-007-3 R5.1 CIP-007-3 R5.1.1 CIP-007-3 R5.1.2

AC-6(1) AU-9(4) CM-6(a)

DE.AE-3 DE.AE-5 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4

Req-10.5.1

SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029

SRG-APP-000118-CTR-000240

10.3.2
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then

if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
  GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
  if ! [ "${GROUP}" == 'root' ] ; then    chown root:${GROUP} /var/log/audit
    chown root:${GROUP} /var/log/audit/audit.log*
  else
    chown root:root /var/log/audit
    chown root:root /var/log/audit/audit.log*
  fi
else
  chown root:root /var/log/audit
  chown root:root /var/log/audit/audit.log*
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

System Audit Logs Must Be Owned By Root

Description

Rationale

Remediation - Shell Script