Red Hat Enterprise Linux 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Audit tools must have the correct owner.
Rationale
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data.
Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.
- name: Test for existence /sbin/auditctl
stat:
path: /sbin/auditctl
register: file_exists
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- DISA-STIG-RHEL-09-232220
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner 0 on /sbin/auditctl
file:
path: /sbin/auditctl
owner: '0'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
- DISA-STIG-RHEL-09-232220
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/aureport
stat:
path: /sbin/aureport
register: file_exists
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- DISA-STIG-RHEL-09-232220
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner 0 on /sbin/aureport
file:
path: /sbin/aureport
owner: '0'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
- DISA-STIG-RHEL-09-232220
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/ausearch
stat:
path: /sbin/ausearch
register: file_exists
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- DISA-STIG-RHEL-09-232220
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner 0 on /sbin/ausearch
file:
path: /sbin/ausearch
owner: '0'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
- DISA-STIG-RHEL-09-232220
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/autrace
stat:
path: /sbin/autrace
register: file_exists
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- DISA-STIG-RHEL-09-232220
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner 0 on /sbin/autrace
file:
path: /sbin/autrace
owner: '0'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
- DISA-STIG-RHEL-09-232220
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/auditd
stat:
path: /sbin/auditd
register: file_exists
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- DISA-STIG-RHEL-09-232220
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner 0 on /sbin/auditd
file:
path: /sbin/auditd
owner: '0'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
- DISA-STIG-RHEL-09-232220
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/rsyslogd
stat:
path: /sbin/rsyslogd
register: file_exists
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- DISA-STIG-RHEL-09-232220
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner 0 on /sbin/rsyslogd
file:
path: /sbin/rsyslogd
owner: '0'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
- DISA-STIG-RHEL-09-232220
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /sbin/augenrules
stat:
path: /sbin/augenrules
register: file_exists
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- DISA-STIG-RHEL-09-232220
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure owner 0 on /sbin/augenrules
file:
path: /sbin/augenrules
owner: '0'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
- DISA-STIG-RHEL-09-232220
- NIST-800-53-AU-9
- configure_strategy
- file_audit_tools_ownership
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
chown 0 /sbin/auditctl
chown 0 /sbin/aureport
chown 0 /sbin/ausearch
chown 0 /sbin/autrace
chown 0 /sbin/auditd
chown 0 /sbin/rsyslogd
chown 0 /sbin/augenrules
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi