Rule ID
SV-268256r1038708_rule
Version
V1R2
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network devices providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Satisfies: SRG-APP-000121-NDM-000238, SRG-APP-000122-NDM-000239, SRG-APP-000123-NDM-000240
Verify the operating system audit tools and config files have proper permissions and ownership. Log in to the HYCU console and list the full permissions and ownership of the audit folder with the following command: sudo ls -al /etc/audit Folder and files must be owned by root and the following permissions must be set: drwxr-x---. 4 root root 126 Mar 15 10:16 . drwxr-xr-x. 106 root root 8192 May 6 13:58 .. -rw-r-----. 1 root root 751 Apr 24 2020 audisp-remote.conf -rw-r-----. 1 root root 856 Apr 24 2020 auditd.conf -rw-r-----. 1 root root 107 Feb 3 13:18 audit.rules -rw-r-----. 1 root root 127 Apr 24 2020 audit-stop.rules drwxr-x---. 2 root root 67 Mar 15 10:16 plugins.d drwxr-x---. 2 root root 25 Feb 3 13:13 rules.d Audit files must be mode 0640 or less permissive. If any are more permissive, this is a finding. The owner and group owner of all audit files must both be "root". If any other owner or group owner is listed, this is a finding.
Change the mode of the audit log files with the following command: # chmod 0640 [audit_file] Change the owner and group owner of the audit files with the following command: # chown root:root [audit_file]