Title

System audit logs must be group-owned by root, bin, sys, or system. (Cat II impact)

Discussion

Sensitive system and user information could provide a malicious user with enough information to penetrate further into the system.

Check Content

Check the group ownership of the audit logs. Procedure: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file is not group-owned by root, bin, sys, or system, this is a finding.

Fix Text

Change the group-ownership of the audit log file(s). Procedure: # chgrp root <audit log file>

Additional Identifiers

Rule ID: SV-45209r1_rule

Vulnerability ID: V-22702

Group Title: GEN002690

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.