STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access.

DISA Rule

SV-230398r627750_rule

Vulnerability Number

V-230398

Group Title

SRG-OS-000057-GPOS-00027

Rule Version

RHEL-08-030090

Severity

CAT II

CCI(s)

• CCI-000162 - The information system protects audit information from unauthorized access.

Weight

10

Fix Recommendation

Configure the audit log to be owned by root by configuring the log group in the /etc/audit/auditd.conf file:

log_group = root

Check Contents

Verify the audit logs are group-owned by "root". First determine where the audit logs are stored with the following command:

$ sudo grep -iw log_file /etc/audit/auditd.conf

log_file = /var/log/audit/audit.log

Using the location of the audit log file, determine if the audit log is group-owned by "root" using the following command:

$ sudo ls -al /var/log/audit/audit.log

rw------- 2 root root 23 Jun 11 11:56 /var/log/audit/audit.log

If the audit log is not group-owned by "root", this is a finding.

Vulnerability Number

V-230398

Documentable

False

Rule Version

RHEL-08-030090

Severity Override Guidance

Verify the audit logs are group-owned by "root". First determine where the audit logs are stored with the following command:

$ sudo grep -iw log_file /etc/audit/auditd.conf

log_file = /var/log/audit/audit.log

Using the location of the audit log file, determine if the audit log is group-owned by "root" using the following command:

$ sudo ls -al /var/log/audit/audit.log

rw------- 2 root root 23 Jun 11 11:56 /var/log/audit/audit.log

If the audit log is not group-owned by "root", this is a finding.

Check Content Reference

M

Target Key

2921

Comments