← Rules Catalog
highauditverified rollback-safe

Set permissions on audit log files

audit-log-permissions · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl

Description

All audit log files in /var/log/audit must have restrictive permissions (0600 or more restrictive) with root ownership to prevent unauthorized access.

Rationale

Audit log files contain detailed records of security-relevant events. Unauthorized access to these files could reveal security monitoring capabilities or allow attackers to tamper with evidence.

Check → Remediate

Checkcommand
find /var/log/audit -type f \( -perm /0177 -o ! -user root -o ! -group root \) 2>/dev/null | head -1
expected_exit:
0
Remediatefile_permissions
find_paths:
/var/log/audit
find_type:
f
find_args:
-perm /0177
owner:
root
group:
root
mode:
0600

Framework references

CIS

rhel9 6.3.4.2rhel10 6.3.4.2rhel8 6.3.4.2

STIG

V-281054 / RHEL-10-400185V-258167 / RHEL-09-653090V-230396V-270827 / UBTU-24-901300V-260597 / UBTU-22-653045

NIST 800-53

AU-9AC-6

Live verification

rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#audit#permissions#logging#security