← Rules Catalog
highauditverified rollback-safe

Set permissions on audit log directory

audit-log-dir-permissions · UBUNTU ≥ 22, RHEL ≥ 8 · 1 impl

Description

The /var/log/audit directory must have restrictive permissions (0700 or more restrictive) to prevent unauthorized access to audit logs.

Rationale

Audit logs contain sensitive security information about system activity. Unrestricted access could allow attackers to read logs to understand detection capabilities or modify/delete logs to cover their tracks.

Check → Remediate

Checkfile_permission
path:
/var/log/audit
mode:
0700
owner:
root
group:
root
Remediatefile_permissions
path:
/var/log/audit
mode:
0700
owner:
root
group:
root

Framework references

CIS

rhel9 6.3.4.1rhel10 6.3.4.1ubuntu24 6.2.4.1ubuntu22 6.2.4.4rhel8 6.3.4.1

STIG

V-230399V-270830 / UBTU-24-901380V-260600 / UBTU-22-653060V-281051 / RHEL-10-400170V-281055 / RHEL-10-400190V-258166 / RHEL-09-653085

NIST 800-53

AU-9AC-6

Live verification

rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:checkubuntu26:check
#audit#permissions#logging#security