5.2.4.1 Ensure audit log files are mode 0640 or less permissive

Information

Audit log files contain information about the system and system activity.

Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality.

Solution

Run the following command to remove more permissive mode than 0640 from audit log files:

# [ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "=" '/^s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f -perm /0137 -exec chmod u-x,g-wx,o-rwx {} +

See Also

https://workbench.cisecurity.org/benchmarks/13007

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: d370e6f338d87cd83da79f26eaf304f4f75f08ba81a8ae2552c23897e87adf24