{"description": "All audit logs must be group owned by root user.\n\nDetermine where the audit logs are stored with the following command:\n<pre>$ sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log</pre>\n\nUsing the path of the directory containing the audit logs, determine if the audit log files\nare owned by the \"root\" group by using the following command:\n<pre>$ sudo stat -c \"%n %G\" /var/log/audit/*\n/var/log/audit/audit.log root</pre>\nIf the audit log files are owned by a group other than \"root\", this is a finding.\n\nTo remediate, configure the audit log directory and its underlying files to be owned by \"root\"\ngroup.\n\nSet the \"log_group\" parameter of the audit configuration file to the \"root\" value so when a\nnew log file is created, its group owner is properly set:\n<pre>$ sudo sed -i '/^log_group/D' /etc/audit/auditd.conf\n$ sudo sed -i /^log_file/a'log_group = root' /etc/audit/auditd.conf</pre>\n\nLast, signal the audit daemon to reload the configuration file to update the group owners\nof existing files:\n<pre>$ sudo systemctl kill auditd -s SIGHUP</pre>", "rationale": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.", "severity": "medium", "references": {"srg": ["SRG-OS-000057-GPOS-00027", "SRG-OS-000058-GPOS-00028", "SRG-OS-000059-GPOS-00029", "SRG-OS-000206-GPOS-00084"], "stigid": ["UBTU-22-653055"], "stigref": ["SV-260599r958434_rule"]}, "control_references": {"stigid": ["UBTU-22-653055"]}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": null, "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "System Audit Logs Must Be Group Owned By Root", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/file_group_ownership_var_log_audit_stig/rule.yml", "template": null}