Free DISA STIG and SRG Library | Vaulted

V-59607

Audit log files must be owned by root.

Finding ID
AOSX-10-000331
Rule ID
SV-74037r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-OS-000057
CCI
CCI-000162
Target Key
(None)
Documentable
No
Discussion

The audit service must be configured to create log files with the correct ownership to prevent normal users from reading audit logs. Audit logs contain sensitive data about the system and about users. If log files are set to only be readable and writable by root or administrative users with sudo, the risk is mitigated.

Fix Text

For any log file that returns an incorrect owner, run the following command: sudo chown root [audit log file] [audit log file] is the full path to the log file in question.

Check Content

To check the ownership of the audit log files, run the following command: sudo ls -le $(sudo grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') | grep -v current The results should show the owner (third column) to be root. If not, this is a finding.