System Audit Directories Must Be Owned By Root

An XCCDF Rule

Description

All audit directories must be owned by root user. By default, the path for audit log is

/var/log/audit/

. To properly set the owner of /var/log/audit, run the command:

$ sudo chown root /var/log/audit

Rationale

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.

ID: xccdf_org.ssgproject.content_rule_directory_ownership_var_log_audit
Severity: Medium
References: 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8

5.4.1.1

APO01.06 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA02.01

3.3.1

CCI-000162 CCI-000163 CCI-000164 CCI-001314

4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4

SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1

A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

AC-6(1) AU-9(4) CM-6(a)

DE.AE-3 DE.AE-5 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4

Req-10.5.1

SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029 SRG-OS-000206-GPOS-00084

SV-230399r1017205_rule
Updated: about 1 month ago

Remediation Templates

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CJIS-5.4.1.1
  - DISA-STIG-RHEL-08-030100  - NIST-800-171-3.3.1
  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - configure_strategy
  - directory_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
- name: System Audit Directories Must Be Owned By Root - Register Audit Configuration
    Text
  ansible.builtin.slurp:
    src: /etc/audit/auditd.conf
  register: auditd_config_slurp
  when:
  - '"audit" in ansible_facts.packages'
  - '"kernel" in ansible_facts.packages'
  tags:
  - CJIS-5.4.1.1
  - DISA-STIG-RHEL-08-030100
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - configure_strategy
  - directory_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: System Audit Directories Must Be Owned By Root - Set Permissions Custom Location
  ansible.builtin.file:
    owner: root
    path: |-
      {{ auditd_config_slurp['content'] | b64decode | regex_findall('
      log_file\s*=\s*(.+)') | default(['/var/log/audit/audit.log',], boolean=True) | first | dirname }}
  when:
  - '"audit" in ansible_facts.packages'
  - '"kernel" in ansible_facts.packages'
  tags:
  - CJIS-5.4.1.1
  - DISA-STIG-RHEL-08-030100
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-6(1)
  - NIST-800-53-AU-9(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - configure_strategy
  - directory_ownership_var_log_audit
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if rpm --quiet -q audit && rpm --quiet -q kernel; then
if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then
    FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
    LOGPATH="$(dirname "$FILE")"
    chown root $LOGPATHelse
    chown root /var/log/audit
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

System Audit Directories Must Be Owned By Root

Description

Rationale

Remediation Templates

An Ansible Snippet

A Shell Script