Profile Applicability:
Level 1
Description:
Audit tools are critical for monitoring system activity and security events. Ensuring these tools are owned by the root user restricts unauthorized modification, protecting the integrity of audit logs and security monitoring.
Rationale:
Proper ownership prevents unauthorized users from tampering with audit tools, thereby maintaining the reliability and trustworthiness of audit data.
Impact:
Pros:
Protects audit tools from unauthorized changes.
Ensures reliable security auditing and monitoring.
Cons:
Misconfiguration could cause access issues for legitimate audit processes.
Default Value:
Audit tools typically are owned by root by default, but verification is recommended.
Pre-requisites:
Root or sudo privileges to audit and modify file ownership.
Remediation:
Test Plan:
Using Linux command line:
Identify audit tool files, commonly located in:
ls -l /sbin/audit* /usr/sbin/audit*
2. Verify ownership is set to root for these files.
Implementation Plan:
Using Linux command line:
Change ownership to root for audit tools:
chown root /sbin/audit* /usr/sbin/audit*
Verify changes:
ls -l /sbin/audit* /usr/sbin/audit*
Backout Plan:
Using Linux command line:
Restore previous ownership from backups if necessary.
Test audit tools functionality after changes.
References:
CIS Amazon Linux 2 Benchmark v3.0.0