System Audit Logs Must Have Mode 0600 or Less Permissive

An XCCDF Rule

Description

Determine where the audit logs are stored with the following command:

$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Using the path of the directory containing the audit logs, determine if the audit log files have a mode of "600" or less by using the following command:

$ sudo stat -c "%n %a" /var/log/audit/*

Rationale

If users can write to audit logs, audit trails can be modified or destroyed.

ID: xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit_stig
Severity: Medium
References: SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028

UBTU-22-653045

SV-260597r958434_rule
Updated: 5 days ago

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}
' 'kernel' 2>/dev/null | grep -q installed && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then

if LC_ALL=C grep -iqw ^log_file /etc/audit/auditd.conf; then
    FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')else
    FILE="/var/log/audit/audit.log"
fi

chmod 0600 -- "$(dirname "$FILE")"/*

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

System Audit Logs Must Have Mode 0600 or Less Permissive

Description

Rationale

Remediation - Shell Script