Detections
Analytics

1.186 UBTU-24-901350

Information

The operating system must permit only authorized groups ownership of the audit log files.

GROUP ID: V-270829
RULE ID: SV-270829r1066976

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.

Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity.

Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029

Solution

Configure the audit log directory and its underlying files to be owned by "root" group.

Set the "log_group" parameter of the audit configuration file to the "root" value so when a new log file is created, its group owner is properly set:

$ sudo sed -i '/^log_group/D' /etc/audit/auditd.conf
$ sudo sed -i /^log_file/a'log_group = root' /etc/audit/auditd.conf

Signal the audit daemon to reload the configuration file to update the group owners of existing files:

$ sudo systemctl kill auditd -s SIGHUP

See Also

https://workbench.cisecurity.org/benchmarks/22775

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9, CAT|II, CCI|CCI-000162, CCI|CCI-000163, CCI|CCI-000164, CSCv7|14.6, Rule-ID|SV-270829r1066976_rule, STIG-ID|UBTU-24-901350, Vuln-ID|V-270829

Plugin: Unix

Control ID: 1aad1ecfc90e9c3586e6ecf9441cc841a5459e8ec5cd632cb053d5a666e888bc