Profile Applicability:
Level 2
Description:
Audit log files contain sensitive information about system activity and security events. Ensuring that only authorized groups have ownership of these files prevents unauthorized access and protects the integrity of audit logs.
Rationale:
Assigning ownership of audit log files to authorized groups restricts access to trusted users, reducing the risk of tampering or unauthorized disclosure.
Impact:
Pros:
Enhances confidentiality and integrity of audit logs.
Limits access to sensitive audit information to authorized personnel.
Cons:
Misconfiguration may inadvertently restrict legitimate access.
Default Value:
Audit log file group ownership may vary; verification is required to ensure compliance.
Pre-requisites:
Root or sudo privileges to audit and modify file group ownership.
Remediation:
Test Plan:
Using Linux command line:
List audit log files and their group ownership:
ls -l /var/log/audit/
Verify that group ownership is assigned only to authorized groups (commonly root or audit).
Implementation Plan:
Using Linux command line:
Change group ownership of audit log files to authorized groups:
chgrp audit /var/log/audit/*
Apply group ownership recursively if needed:
chgrp -R audit /var/log/audit/
Verify changes:
ls -l /var/log/audit/
Backout Plan:
Using Linux command line:
Restore previous group ownership from backups if necessary.
Verify audit log accessibility for authorized users.
References:
CIS Amazon Linux 2 Benchmark v3.0.0