Check: RHEL-09-653085
RHEL 9 STIG:
RHEL-09-653085
(in version v2 r3)
Title
RHEL 9 audit log directory must be owned by root to prevent unauthorized read access. (Cat II impact)
Discussion
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084
Check Content
Verify the audit logs directory is owned by "root". Determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the location of the audit log file, determine if the audit log directory is owned by "root" using the following command: $ sudo stat -c '%U %n' /var/log/audit root /var/log/audit If the audit log directory is not owned by "root", this is a finding.
Fix Text
Configure the audit log to be protected from unauthorized read access by setting the correct owner as "root" with the following command: $ sudo chown root /var/log/audit
Additional Identifiers
Rule ID: SV-258166r1045303_rule
Vulnerability ID: V-258166
Group Title: SRG-OS-000057-GPOS-00027
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000162 |
Protect audit information from unauthorized access. |
| CCI-000163 |
Protect audit information from unauthorized modification. |
| CCI-000164 |
Protect audit information from unauthorized deletion. |
| CCI-001314 |
Reveal error messages only to organization-defined personnel or roles. |