System Audit Logs Must Have Mode 0750 or Less Permissive

An XCCDF Rule

Description

If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command:

$ sudo chmod 0750 /var/log/audit

Otherwise, change the mode of the audit log files with the following command:

$ sudo chmod 0700 /var/log/audit

Rationale

If users can write to audit logs, audit trails can be modified or destroyed.

ID: xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit
Severity: Medium
References: 1 11 12 13 14 15 16 18 19 3 4 5 6 7 8

APO01.06 APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 DSS06.02 MEA02.01

CCI-000162 CCI-000163 CCI-000164

4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4

SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 6.1

A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.16.1.4 A.16.1.5 A.16.1.7 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

CIP-003-8 R5.1.1 CIP-003-8 R5.2 CIP-003-8 R5.3 CIP-004-6 R2.3 CIP-004-6 R3.3 CIP-007-3 R2.1 CIP-007-3 R2.2 CIP-007-3 R2.3 CIP-007-3 R5.1 CIP-007-3 R5.1.1 CIP-007-3 R5.1.2 CIP-007-3 R6.5

AC-6(1) AU-9 CM-6(a)

DE.AE-3 DE.AE-5 PR.AC-4 PR.DS-5 PR.PT-1 RS.AN-1 RS.AN-4

SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029
Updated: about 1 year ago