V-812

Discussion

Failure to give ownership of system audit log files to root provides the designated owner and unauthorized users with the potential to access sensitive information.

Check Content

Perform the following to determine the location of audit logs and then check the ownership.

Procedure:
# (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi)

If any audit log file is not owned by root, this is a finding.