Verify that audit tools are owned by group root

Docs > Datadog Security > OOTB Rules > Verify that audit tools are owned by group root

Classification:

compliance

Framework:

Control:

Description

The Ubuntu 22.04 operating system audit tools must have the proper ownership configured to protected against unauthorized access.

Verify it by running the following command:

$ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules

/sbin/auditctl root
/sbin/aureport root
/sbin/ausearch root
/sbin/autrace root
/sbin/auditd root
/sbin/audispd root
/sbin/augenrules root

Audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators

Rationale

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.

Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

chgrp 0 /sbin/auditctl
chgrp 0 /sbin/aureport
chgrp 0 /sbin/ausearch
chgrp 0 /sbin/autrace
chgrp 0 /sbin/auditd
chgrp 0 /sbin/audispd
chgrp 0 /sbin/augenrules

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Test for existence /sbin/auditctl
 stat:
 path: /sbin/auditctl
 register: file\_exists
 tags:
 - configure\_strategy
 - file\_groupownership\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure group owner 0 on /sbin/auditctl
 file:
 path: /sbin/auditctl
 group: '0'
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - configure\_strategy
 - file\_groupownership\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Test for existence /sbin/aureport
 stat:
 path: /sbin/aureport
 register: file\_exists
 tags:
 - configure\_strategy
 - file\_groupownership\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure group owner 0 on /sbin/aureport
 file:
 path: /sbin/aureport
 group: '0'
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - configure\_strategy
 - file\_groupownership\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Test for existence /sbin/ausearch
 stat:
 path: /sbin/ausearch
 register: file\_exists
 tags:
 - configure\_strategy
 - file\_groupownership\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure group owner 0 on /sbin/ausearch
 file:
 path: /sbin/ausearch
 group: '0'
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - configure\_strategy
 - file\_groupownership\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Test for existence /sbin/autrace
 stat:
 path: /sbin/autrace
 register: file\_exists
 tags:
 - configure\_strategy
 - file\_groupownership\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure group owner 0 on /sbin/autrace
 file:
 path: /sbin/autrace
 group: '0'
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - configure\_strategy
 - file\_groupownership\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Test for existence /sbin/auditd
 stat:
 path: /sbin/auditd
 register: file\_exists
 tags:
 - configure\_strategy
 - file\_groupownership\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure group owner 0 on /sbin/auditd
 file:
 path: /sbin/auditd
 group: '0'
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - configure\_strategy
 - file\_groupownership\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Test for existence /sbin/audispd
 stat:
 path: /sbin/audispd
 register: file\_exists
 tags:
 - configure\_strategy
 - file\_groupownership\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure group owner 0 on /sbin/audispd
 file:
 path: /sbin/audispd
 group: '0'
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - configure\_strategy
 - file\_groupownership\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Test for existence /sbin/augenrules
 stat:
 path: /sbin/augenrules
 register: file\_exists
 tags:
 - configure\_strategy
 - file\_groupownership\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure group owner 0 on /sbin/augenrules
 file:
 path: /sbin/augenrules
 group: '0'
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - configure\_strategy
 - file\_groupownership\_audit\_binaries
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed