STIGQter STIGQter: STIG Summary: Canonical Ubuntu 16.04 Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jan 2020: Audit log directory must be group-owned by root to prevent unauthorized read access.

DISA Rule

SV-90325r2_rule

Vulnerability Number

V-75645

Group Title

SRG-OS-000057-GPOS-00027

Rule Version

UBTU-16-020140

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the audit log to be protected from unauthorized read access, by setting the correct group-owner as "root" with the following command:

# sudo chgrp root [audit_log_directory]

Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit".

Check Contents

Verify the audit log directory is group-owned by "root" to prevent unauthorized read access.

Determine where the audit logs are stored with the following command:

# sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Determine the audit log directory by using the output of the above command (ex: "/var/log/audit/"). Run the following command with the correct audit log directory path:

# sudo ls -ld /var/log/audit
drwxr-x--- 2 root root 8096 Jun 26 11:56 /var/log/audit

If the audit log directory is not group-owned by "root", this is a finding.

Vulnerability Number

V-75645

Documentable

False

Rule Version

UBTU-16-020140

Severity Override Guidance

Verify the audit log directory is group-owned by "root" to prevent unauthorized read access.

Determine where the audit logs are stored with the following command:

# sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Determine the audit log directory by using the output of the above command (ex: "/var/log/audit/"). Run the following command with the correct audit log directory path:

# sudo ls -ld /var/log/audit
drwxr-x--- 2 root root 8096 Jun 26 11:56 /var/log/audit

If the audit log directory is not group-owned by "root", this is a finding.

Check Content Reference

M

Target Key

3075

Comments