System Audit Logs Must Have Mode 0640 or Less Permissive
Description
If log_group
in /etc/audit/auditd.conf
is set to a group other than the
root
group account, change the mode of the audit log files with the following command:
$ sudo chmod 0640 audit_file
Otherwise, change the mode of the audit log files with the following command:
$ sudo chmod 0600 audit_file
Rationale
If users can write to audit logs, audit trails can be modified or destroyed.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then
FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
else
FILE="/var/log/audit/audit.log"
fi
if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
if ! [ "${GROUP}" == 'root' ] ; then
chmod 0640 $FILE
chmod 0440 $FILE.*
else
chmod 0600 $FILE
chmod 0400 $FILE.*
fi
else
chmod 0600 $FILE
chmod 0400 $FILE.*
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi