6.2.4.2 Ensure audit log files owner is configured
Audit
Run the following script to verify audit log files are owned by the root user:
| #!/usr/bin/env bash
{
l_output="" l_output2=""
if [ -e "/etc/audit/auditd.conf" ]; then
l_audit_log_directory="$(dirname "$(awk -F= '/^\s*log_file\s*/{print $2}' /etc/audit/auditd.conf | xargs)")"
if [ -d "$l_audit_log_directory" ]; then
while IFS= read -r -d $'\0' l_file; do
l_output2="$l_output2\n - File: \"$l_file\" is owned by user: \"$(stat -Lc '%U' "$l_file")\"\n (should be owned by user: \"root\")\n"
done < <(find "$l_audit_log_directory" -maxdepth 1 -type f ! -user root -print0)
else
l_output2="$l_output2\n - Log file directory not set in \"/etc/audit/auditd.conf\" please set log file directory"
fi
else
l_output2="$l_output2\n - File: \"/etc/audit/auditd.conf\" not found.\n - ** Verify auditd is installed **"
fi
if [ -z "$l_output2" ]; then
l_output="$l_output\n - All files in \"$l_audit_log_directory\" are owned by user: \"root\"\n"
echo -e "\n- Audit Result:\n ** PASS **\n - * Correctly configured * :$l_output"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - * Reasons for audit failure * :$l_output2\n"
fi
}
|
Nothing should be returned
Run the following command to configure the audit log files to be owned by the root user:
# [ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f ! -user root -exec chown root {} +