5.2.4.1 Ensure the audit log directory is 0750 or more restrictive

Information

The audit log directory contains audit log files.

Audit information includes all information including: audit records, audit settings and audit reports. This information is needed to successfully audit system activity. This information must be protected from unauthorized modification or deletion. If this information were to be compromised, forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.

Solution

Run the following command to configure the audit log directory to have a mode of "0750" or less permissive:

# chmod g-w,o-rwx "$(dirname $( awk -F"=" '/^s*log_files*=s*/ {print $2}' /etc/audit/auditd.conf))"

See Also

https://workbench.cisecurity.org/benchmarks/15964