- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
All audit logs must be group owned by root user. The path for audit log can
be configured via log_file
parameter in
/etc/audit/auditd.conf
or, by default, the path for audit log is
/var/log/audit/
.
To properly set the group owner of /var/log/audit/*
, run the command:
$ sudo chgrp root /var/log/audit/*
If log_group
in /etc/audit/auditd.conf
is set to a group other
than the root
group account, change the group ownership of the audit logs
to this specific group.
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
if LC_ALL=C grep -iw log_file /etc/audit/auditd.conf; then
FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
else
FILE="/var/log/audit/audit.log"
fi
if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
if ! [ "${GROUP}" == 'root' ]; then
chgrp ${GROUP} $FILE*
else
chgrp root $FILE*
fi
else
chgrp root $FILE*
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
The following playbook can be run with Ansible to remediate the issue.
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CJIS-5.4.1.1
- DISA-STIG-UBTU-20-010124
- NIST-800-171-3.3.1
- NIST-800-53-AC-6(1)
- NIST-800-53-AU-9(4)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSSv4-10.3.2
- file_group_ownership_var_log_audit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: System Audit Logs Must Be Group Owned By Root - Get Audit Log Files
ansible.builtin.command: grep -iw ^log_file /etc/audit/auditd.conf
failed_when: false
register: log_file_exists
when:
- '"auditd" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CJIS-5.4.1.1
- DISA-STIG-UBTU-20-010124
- NIST-800-171-3.3.1
- NIST-800-53-AC-6(1)
- NIST-800-53-AU-9(4)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSSv4-10.3.2
- file_group_ownership_var_log_audit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: System Audit Logs Must Be Group Owned By Root - Set Log File Facts
ansible.builtin.set_fact:
log_file_line: '{{ log_file_exists.stdout | split('' '') | last }}'
when:
- '"auditd" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CJIS-5.4.1.1
- DISA-STIG-UBTU-20-010124
- NIST-800-171-3.3.1
- NIST-800-53-AC-6(1)
- NIST-800-53-AU-9(4)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSSv4-10.3.2
- file_group_ownership_var_log_audit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: System Audit Logs Must Be Group Owned By Root - Set Default log_file if Not
Set
ansible.builtin.set_fact:
log_file: /var/log/audit/audit.log
when:
- '"auditd" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- (log_file_exists is undefined) or (log_file_exists.stdout | length == 0)
tags:
- CJIS-5.4.1.1
- DISA-STIG-UBTU-20-010124
- NIST-800-171-3.3.1
- NIST-800-53-AC-6(1)
- NIST-800-53-AU-9(4)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSSv4-10.3.2
- file_group_ownership_var_log_audit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: System Audit Logs Must Be Group Owned By Root - Set log_file From log_file_line
if Not Set Already
ansible.builtin.set_fact:
log_file: '{{ log_file_line }}'
when:
- '"auditd" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- (log_file_line is defined) and (log_file_line | length > 0)
tags:
- CJIS-5.4.1.1
- DISA-STIG-UBTU-20-010124
- NIST-800-171-3.3.1
- NIST-800-53-AC-6(1)
- NIST-800-53-AU-9(4)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSSv4-10.3.2
- file_group_ownership_var_log_audit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: System Audit Logs Must Be Group Owned By Root - List All Log File Backups
ansible.builtin.find:
path: '{{ log_file | dirname }}'
patterns: '{{ log_file | basename }}.*'
register: backup_files
when:
- '"auditd" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CJIS-5.4.1.1
- DISA-STIG-UBTU-20-010124
- NIST-800-171-3.3.1
- NIST-800-53-AC-6(1)
- NIST-800-53-AU-9(4)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSSv4-10.3.2
- file_group_ownership_var_log_audit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: System Audit Logs Must Be Group Owned By Root - Apply Mode to All Backup Log
Files
ansible.builtin.file:
path: '{{ item }}'
group: root
failed_when: false
loop: '{{ backup_files.files| map(attribute=''path'') | list }}'
when:
- '"auditd" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CJIS-5.4.1.1
- DISA-STIG-UBTU-20-010124
- NIST-800-171-3.3.1
- NIST-800-53-AC-6(1)
- NIST-800-53-AU-9(4)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSSv4-10.3.2
- file_group_ownership_var_log_audit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: System Audit Logs Must Be Group Owned By Root - Apply Mode to Log File
ansible.builtin.file:
path: '{{ log_file }}'
group: root
failed_when: false
when:
- '"auditd" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CJIS-5.4.1.1
- DISA-STIG-UBTU-20-010124
- NIST-800-171-3.3.1
- NIST-800-53-AC-6(1)
- NIST-800-53-AU-9(4)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-10.5.1
- PCI-DSSv4-10.3.2
- file_group_ownership_var_log_audit
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy