System audit logs must be owned by root.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-812	GEN002680	SV-45208r1_rule		Medium

Description
Failure to give ownership of system audit log files to root provides the designated owner and unauthorized users with the potential to access sensitive information.

STIG	Date
SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide	2018-09-19

Details

Check Text ( C-42556r1_chk )
Perform the following to determine the location of audit logs and then check the ownership. Procedure: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf\|sed s/^[^\/]//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file is not owned by root, this is a finding.

Check Text ( C-42556r1_chk )

Perform the following to determine the location of audit logs and then check the ownership.

Procedure:
# (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi)

If any audit log file is not owned by root, this is a finding.

Fix Text (F-38604r1_fix)
Change the ownership of the audit log file(s). Procedure: # chown root