System Audit Logs Must Be Group Owned By Root
An XCCDF Rule
Description
All audit logs must be group owned by root user. The path for audit log can
be configured via log_file
parameter in
/etc/audit/auditd.confor, by default, the path for audit log is
/var/log/audit/. To properly set the group owner of
/var/log/audit/*
, run the command:
$ sudo chgrp root /var/log/audit/*If
log_group
in /etc/audit/auditd.conf
is set to a group other
than the root
group account, change the group ownership of the audit logs
to this specific group.
Rationale
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
- ID
- xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
if LC_ALL=C grep -iw log_file /etc/audit/auditd.conf; then
FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
else