highauditverified ✓rollback-safe
Set permissions on audit log directory
audit-log-dir-permissions · UBUNTU ≥ 22, RHEL ≥ 8 · 1 impl
Description
The /var/log/audit directory must have restrictive permissions (0700 or more restrictive) to prevent unauthorized access to audit logs.
Rationale
Audit logs contain sensitive security information about system activity. Unrestricted access could allow attackers to read logs to understand detection capabilities or modify/delete logs to cover their tracks.
Check → Remediate
Checkfile_permission
- path:
- /var/log/audit
- mode:
- 0700
- owner:
- root
- group:
- root
Remediatefile_permissions
- path:
- /var/log/audit
- mode:
- 0700
- owner:
- root
- group:
- root
Framework references
CIS
rhel9 6.3.4.1rhel10 6.3.4.1ubuntu24 6.2.4.1ubuntu22 6.2.4.4rhel8 6.3.4.1
STIG
V-230399V-270830 / UBTU-24-901380V-260600 / UBTU-22-653060V-281051 / RHEL-10-400170V-281055 / RHEL-10-400190V-258166 / RHEL-09-653085
NIST 800-53
AU-9AC-6
Live verification
rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:checkubuntu26:check
#audit#permissions#logging#security