4.1.4.1 Ensure audit log files are mode 0640 or less permissive

Information

Audit log files contain information about the system and system activity.

Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality.

Solution

Run the following command to remove more permissive mode than 0640 from audit log files:

# [ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "=" '/^s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f ( ! -perm 600 -a ! -perm 0400 -a ! -perm 0200 -a ! -perm 0000 -a ! -perm 0640 -a ! -perm 0440 -a ! -perm 0040 ) -exec chmod u-x,g-wx,o-rwx {} +

See Also

https://workbench.cisecurity.org/files/4239