highauditverified ✓rollback-safe
Set permissions on audit log files
audit-log-permissions · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
All audit log files in /var/log/audit must have restrictive permissions (0600 or more restrictive) with root ownership to prevent unauthorized access.
Rationale
Audit log files contain detailed records of security-relevant events. Unauthorized access to these files could reveal security monitoring capabilities or allow attackers to tamper with evidence.
Check → Remediate
Checkcommand
find /var/log/audit -type f \( -perm /0177 -o ! -user root -o ! -group root \) 2>/dev/null | head -1
- expected_exit:
- 0
Remediatefile_permissions
- find_paths:
- /var/log/audit
- find_type:
- f
- find_args:
- -perm /0177
- owner:
- root
- group:
- root
- mode:
- 0600
Framework references
CIS
rhel9 6.3.4.2rhel10 6.3.4.2rhel8 6.3.4.2
STIG
V-281054 / RHEL-10-400185V-258167 / RHEL-09-653090V-230396V-270827 / UBTU-24-901300V-260597 / UBTU-22-653045
NIST 800-53
AU-9AC-6
Live verification
rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#audit#permissions#logging#security