5.2.4.3 Ensure only authorized users own audit log files

Information

Audit log files contain information about the system and system activity.

Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality.

Solution

Run the following command to configure the audit log files to be owned by the root user:

# [ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "=" '/^s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f ! -user root -exec chown root {} +

See Also

https://workbench.cisecurity.org/benchmarks/15964