Verify that Local Logs of the audit Daemon are not World-Readable

Description

Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to bei read by any non-root user. Check that "permissions.local" file contains the correct permissions rules with the following command:

# grep -i audit /etc/permissions.local

/var/log/audit/ root:root 600
/var/log/audit/audit.log root:root 600
/etc/audit/audit.rules root:root 640
/etc/audit/rules.d/audit.rules root:root 640

Rationale

Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

ID: xccdf_org.ssgproject.content_rule_permissions_local_var_log_audit
Severity: Medium
References: CCI-000164

AU-9

SRG-OS-000057-GPOS-00027 SRG-OS-000058-GPOS-00028 SRG-OS-000059-GPOS-00029

SLES-12-020120

SV-217202r603262_rule

CCE-83117-2
Updated: about 1 year ago