Check: RHEL-09-653115
RHEL 9 STIG:
RHEL-09-653115
(in versions v1 r3 through v1 r1)
Title
RHEL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access. (Cat II impact)
Discussion
Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Check Content
Verify the mode of /etc/audit/auditd.conf with the command: $ sudo stat -c "%a %n" /etc/audit/auditd.conf 640 /etc/audit/auditd.conf If "/etc/audit/auditd.conf" does not have a mode of "0640", this is a finding.
Fix Text
Set the mode of /etc/audit/auditd.conf file to 0640 with the command: $ sudo chmod 0640 /etc/audit/auditd.conf
Additional Identifiers
Rule ID: SV-258172r926503_rule
Vulnerability ID: V-258172
Group Title: SRG-OS-000063-GPOS-00032
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000171 |
The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. |
Controls
| Number | Title |
|---|---|
| AU-12 |
Audit Generation |