Check: RHEL-06-000383
Red Hat Enterprise Linux 6 STIG:
RHEL-06-000383
(in versions v2 r2 through v1 r14)
Title
Audit log files must have mode 0640 or less permissive. (Cat II impact)
Discussion
If users can write to audit logs, audit trails can be modified or destroyed.
Check Content
Run the following command to check the mode of the system audit logs: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %a:%n Audit logs must be mode 0640 or less permissive. If any are more permissive, this is a finding.
Fix Text
Change the mode of the audit log files with the following command: # chmod 0640 [audit_file]
Additional Identifiers
Rule ID: SV-218084r603264_rule
Vulnerability ID: V-218084
Group Title: SRG-OS-000058
Expert Comments
Expert comments are only available to logged-in users.
CCIs
CCIs tied to check.
| Number | Definition |
|---|---|
| CCI-000163 |
Protect audit information from unauthorized modification. |
Controls
Controls tied to check. These are derived from the CCIs shown above.
| Number | Title |
|---|---|
| AU-9 |
Protection of Audit Information |