documentation_complete: true


title: 'Verify that audit tools are owned by root'

description: |-
    The {{{ full_name }}} operating system audit tools must have the proper
    ownership configured to protected against unauthorized access.

    Verify it by running the following command:
    <pre>$ stat -c "%n %U" {{{ audit_binaries | join(" ")}}}
    {{% for binary in audit_binaries %}}
    {{{ binary }}} root
    {{% endfor %}}
    </pre>

    Audit tools needed to successfully view and manipulate audit information
    system activity and records. Audit tools include custom queries and report
    generators

rationale: |-
    Protecting audit information also includes identifying and protecting the
    tools used to view and manipulate log data. Therefore, protecting audit
    tools is necessary to prevent unauthorized operation on audit information.

    Operating systems providing tools to interface with audit information
    will leverage user permissions and roles identifying the user accessing the
    tools and the corresponding rights the user enjoys to make access decisions
    regarding the access to audit tools.

severity: medium

identifiers:
    cce@rhel8: CCE-86453-8
    cce@rhel9: CCE-86454-6
    cce@rhel10: CCE-89400-6
    cce@sle15: CCE-92549-5

references:
    srg: SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098

ocil: |-
    Verify it by running the following command:
    <pre>$ stat -c "%n %U" {{{ audit_binaries | join(" ")}}}
    {{% for binary in audit_binaries %}}
    {{{ binary }}} root
    {{% endfor %}}
    </pre>
    If the command does not return all the above lines, the missing ones
    need to be added.

    Run the following command to correct the permissions of the missing
    entries:
    <pre>$ sudo chown root [audit_tool] </pre>

    Replace "[audit_tool]" with each audit tool not owned by root.

template:
    name: file_owner
    vars:
        filepath: {{{ audit_binaries }}}
        uid_or_name: '0'