System Audit Logs Must Be Group Owned By Root

Classification:

compliance

Framework:

Control:

Description

All audit logs must be group owned by root user. The path for audit log can be configured via log_file parameter in

/etc/audit/auditd.conf

or, by default, the path for audit log is

/var/log/audit/

.

To properly set the group owner of /var/log/audit/*, run the command:

$ sudo chgrp root /var/log/audit/*

If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the group ownership of the audit logs to this specific group.

Rationale

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then

if LC\_ALL=C grep -iw log\_file /etc/audit/auditd.conf; then
 FILE=$(awk -F "=" '/^log\_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
else
 FILE="/var/log/audit/audit.log"
fi


if LC\_ALL=C grep -m 1 -q ^log\_group /etc/audit/auditd.conf; then
 GROUP=$(awk -F "=" '/log\_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
 if ! [ "${GROUP}" == 'root' ]; then
 chgrp ${GROUP} $FILE\*
 else
 chgrp root $FILE\*
 fi
else
 chgrp root $FILE\*
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi