STIGQter STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access.

DISA Rule

SV-230400r627750_rule

Vulnerability Number

V-230400

Group Title

SRG-OS-000057-GPOS-00027

Rule Version

RHEL-08-030110

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the audit log to be protected from unauthorized read access by setting the correct group-owner as "root" with the following command:

$ sudo chgrp root [audit_log_directory]

Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit".

Check Contents

Verify the audit log directory is group-owned by "root" to prevent unauthorized read access.

Determine where the audit logs are stored with the following command:

$ sudo grep -iw log_file /etc/audit/auditd.conf

log_file = /var/log/audit/audit.log

Determine the group owner of the audit log directory by using the output of the above command (ex: "/var/log/audit/"). Run the following command with the correct audit log directory path:

$ sudo ls -ld /var/log/audit

drw------- 2 root root 23 Jun 11 11:56 /var/log/audit

If the audit log directory is not group-owned by "root", this is a finding.

Vulnerability Number

V-230400

Documentable

False

Rule Version

RHEL-08-030110

Severity Override Guidance

Verify the audit log directory is group-owned by "root" to prevent unauthorized read access.

Determine where the audit logs are stored with the following command:

$ sudo grep -iw log_file /etc/audit/auditd.conf

log_file = /var/log/audit/audit.log

Determine the group owner of the audit log directory by using the output of the above command (ex: "/var/log/audit/"). Run the following command with the correct audit log directory path:

$ sudo ls -ld /var/log/audit

drw------- 2 root root 23 Jun 11 11:56 /var/log/audit

If the audit log directory is not group-owned by "root", this is a finding.

Check Content Reference

M

Target Key

2921

Comments