← Back to Oracle Linux 8 Security Technical Implementation Guide

V-248733

CAT II (Medium)

OL 8 audit logs must be owned by root to prevent unauthorized read access.

Rule ID

SV-248733r958434_rule

STIG

Oracle Linux 8 Security Technical Implementation Guide

Version

V2R8

CCIs

CCI-000162 CCI-000163 CCI-000164

Discussion

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit OL 8 activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029

Check Content

Verify the audit logs are owned by "root".  
 
Determine where the audit logs are stored with the following command: 
 
$ sudo grep -iw log_file /etc/audit/auditd.conf 
 
log_file = /var/log/audit/audit.log 
 
Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: 
 
$ sudo ls -al /var/log/audit/audit.log 
 
rw------- 2 root root 23 Jun 11 11:56 /var/log/audit/audit.log 
 
If the audit log is not owned by "root", this is a finding.

Fix Text

Configure the audit log to be protected from unauthorized read access by setting the correct owner as "root" with the following command: 
 
$ sudo chown root [audit_log_file] 
 
Replace "[audit_log_file]" to the correct audit log path. By default, this location is "/var/log/audit/audit.log".