Skip to content

4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files

Audit#

Run the following command to verify log_group parameter is set to either adm or root in /etc/audit/auditd.conf: 

# grep -Piw -- '^\h*log_group\h*=\h*(adm|root)\b' /etc/audit/auditd.conf

Verify the output is: 

log_group = adm

-OR

log_group = root

Using the path of the directory containing the audit logs, determine if the audit log files are owned by the "root" or "adm" group by using the following command: 

# stat -c "%n %G" "$(dirname $(awk -F"=" '/^\s*log_file\s*=\s*/ {print $2}' /etc/audit/auditd.conf | xargs))"/* | grep -Pv '^\h*\H+\h+(adm|root)\b'

Nothing should be returned

Remediation#

Run the following command to configure the audit log files to be owned by adm group: 

# find $(dirname $(awk -F"=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs)) -type f \( ! -group adm -a ! -group root \) -exec chgrp adm {} +

Run the following command to configure the audit log files to be owned by the adm group: 

# chgrp adm /var/log/audit/

Run the following command to set the log_group parameter in the audit configuration file to log_group = adm: 

# sed -ri 's/^\s*#?\s*log_group\s*=\s*\S+(\s*#.*)?.*$/log_group = adm\1/' /etc/audit/auditd.conf

Run the following command to restart the audit daemon to reload the configuration file: 

# systemctl restart auditd