Skip to content

6.2.4.3 Ensure audit log files group owner is configured

Audit#

Run the following command to verify log_group parameter is set to either adm or root in /etc/audit/auditd.conf: 

# grep -Piws -- '^\h*log_group\h*=\h*\H+\b' /etc/audit/auditd.conf | grep -Pvi -- '(adm)'
Nothing should be returned

Using the path of the directory containing the audit logs, verify audit log files are owned by the "root" or "adm" group by running the following script: 

1
2
3
4
5
6
7
#!/usr/bin/env bash
{
if [ -e /etc/audit/auditd.conf ]; then
l_fpath="$(dirname "$(awk -F "=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs)")"
find -L "$l_fpath" -not -path "$l_fpath"/lost+found -type f \( ! -group root -a ! -group adm \) -exec ls -l {} +
fi
}
Nothing should be returned

Remediation#

Run the following command to configure the audit log files to be group owned by adm: 

find $(dirname $(awk -F"=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs)) -type f \( ! -group adm -a ! -group root \) -exec chgrp adm {} +

Run the following command to set the log_group parameter in the audit configuration file to log_group = adm: 

# sed -ri 's/^\s*#?\s*log_group\s*=\s*\S+(\s*#.*)?.*$/log_group = adm\1/' /etc/audit/auditd.conf

Run the following command to restart the audit daemon to reload the configuration file: 

# systemctl restart auditd