Profile Applicability:
Level 2
Description:
Audit log files store sensitive security and system activity information. Ensuring that these files are owned only by authorized users, typically root or designated audit administrators, helps protect against unauthorized access and tampering.
Rationale:
Proper ownership restricts access and modification rights to trusted users, maintaining the integrity and confidentiality of audit logs.
Impact:
Pros:
Enhances protection of audit logs from unauthorized modification.
Supports reliable and trustworthy auditing processes.
Cons:
Misconfiguration might limit legitimate access for audit users.
Default Value:
Audit log file ownership varies; verification is required to confirm compliance.
Pre-requisites:
Root or sudo privileges to audit and modify file ownership.
Remediation:
Test Plan:
Using Linux command line:
List audit log files and their owners:
ls -l /var/log/audit/
Verify ownership is assigned only to authorized users (commonly root or audit).
Implementation Plan:
Using Linux command line:
Change ownership of audit log files to authorized users:
chown root /var/log/audit/*
Apply ownership recursively if needed:
chown -R root /var/log/audit/
Verify changes:
ls -l /var/log/audit/
Backout Plan:
Using Linux command line:
Restore previous ownership from backups if necessary.
Verify audit log accessibility for authorized users.
References:
CIS Amazon Linux 2 Benchmark v3.0.0