Check: RHEL-06-000385
Red Hat Enterprise Linux 6 STIG:
RHEL-06-000385
(in versions v2 r2 through v1 r14)
Title
Audit log directories must have mode 0755 or less permissive. (Cat II impact)
Discussion
If users can delete audit logs, audit trails can be modified or destroyed.
Check Content
Run the following command to check the mode of the system audit directories: grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n Audit directories must be mode 0755 or less permissive. If any are more permissive, this is a finding.
Fix Text
Change the mode of the audit log directories with the following command: # chmod go-w [audit_directory]
Additional Identifiers
Rule ID: SV-218086r603264_rule
Vulnerability ID: V-218086
Group Title: SRG-OS-000059
Expert Comments
Expert comments are only available to logged-in users.
CCIs
CCIs tied to check.
| Number | Definition |
|---|---|
| CCI-000164 |
Protect audit information from unauthorized deletion. |
Controls
Controls tied to check. These are derived from the CCIs shown above.
| Number | Title |
|---|---|
| AU-9 |
Protection of Audit Information |