Check: RHEL-09-653085
RHEL 9 STIG:
RHEL-09-653085
(in versions v1 r3 through v1 r1)
Title
RHEL 9 audit log directory must be owned by root to prevent unauthorized read access. (Cat II impact)
Discussion
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084
Check Content
Verify the audit logs directory is owned by "root". First determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Then using the location of the audit log file, determine if the audit log directory is owned by "root" using the following command: $ sudo ls -ld /var/log/audit drwx------ 2 root root 23 Jun 11 11:56 /var/log/audit If the audit log directory is not owned by "root", this is a finding.
Fix Text
Configure the audit log to be protected from unauthorized read access by setting the correct owner as "root" with the following command: $ sudo chown root /var/log/audit
Additional Identifiers
Rule ID: SV-258166r926485_rule
Vulnerability ID: V-258166
Group Title: SRG-OS-000057-GPOS-00027
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000162 |
The information system protects audit information from unauthorized access. |
| CCI-000163 |
The information system protects audit information from unauthorized modification. |
| CCI-000164 |
The information system protects audit information from unauthorized deletion. |
| CCI-001314 |
The information system reveals error messages only to organization-defined personnel or roles. |