6.3.4.2 Ensure audit log files mode is configured

Information

Audit log files contain information about the system and system activity.

Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality.

Solution

Run the following command to remove more permissive mode than 0640 from audit log files:

# [ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "=" '/^s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f -perm /0137 -exec chmod u-x,g-wx,o-rwx {} +

See Also

https://workbench.cisecurity.org/benchmarks/18211

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: ead800701944a1108bedf47a5a62d9d6eae983e0cc9c6e64b086b126ee9aa36f