6.4.4.3 Ensure audit log files group owner is configured

Information

Audit log files contain information about the system and system activity.

Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality.

Solution

Run the following command to configure the audit log files to be group owned by adm :

# find $(dirname $(awk -F"=" '/^s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs)) -type f ( ! -group adm -a ! -group root ) -exec chgrp adm {} +

Run the following command to set the log_group parameter in the audit configuration file to log_group = adm :

# sed -ri 's/^s*#?s*log_groups*=s*S+(s*#.*)?.*$/log_group = adm1/' /etc/audit/auditd.conf

Run the following command to restart the audit daemon to reload the configuration file:

# systemctl restart auditd

See Also

https://workbench.cisecurity.org/benchmarks/17045

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: b4fc8c6caa4890faa9f6c1b7bff5e96eb55d1a6fc869ce7ba670639f7889d5d0