Profile Applicability:
Level 1
Description:
Audit configuration files define how auditing is performed on the system. Ensuring these files belong to the root group restricts unauthorized users from modifying audit settings, preserving the integrity of the audit system.
Rationale:
Proper group ownership of audit configuration files prevents unauthorized changes that could disable or alter auditing, which is crucial for security monitoring and compliance.
Impact:
Pros:
Protects audit configurations from unauthorized modifications.
Maintains reliability of security auditing processes.
Cons:
Incorrect group ownership might cause access issues for legitimate audit services.
Default Value:
Audit configuration files typically belong to group root, but this should be verified.
Pre-requisites:
Root or sudo privileges to audit and modify group ownership.
Remediation:
Test Plan:
Using Linux command line:
Identify audit configuration files (common locations):
ls -l /etc/audit/audit.rules /etc/audit/rules.d/
Verify that the group ownership is set to root.
Implementation Plan:
Using Linux command line:
Change group ownership to root for audit configuration files:
chgrp root /etc/audit/audit.rules chgrp -R root /etc/audit/rules.d/
Verify changes:
ls -l /etc/audit/audit.rules /etc/audit/rules.d/
Backout Plan:
Using Linux command line:
Restore previous group ownership from backups if necessary.
Confirm audit services operate correctly after changes.
References:
CIS Amazon Linux 2 Benchmark v3.0.0