RHEL 10 must enforce the audit log directory to have a mode of "0750" or less permissive to prevent unauthorized read access.

STIG ID: RHEL-10-400190  |  SRG: SRG-OS-000057-GPOS-00027 |  Severity: medium (CAT II)  |  CCI: CCI-000162,CCI-000163,CCI-000164 |  Vulnerability Id: V-281055

Vulnerability Discussion

If users can write to audit logs, audit trails can be modified or destroyed.

Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029

Check

Verify RHEL 10 enforces the audit log directory to have a mode of "0750" or less permissive to prevent unauthorized read access.

Determine where the audit logs are stored with the following command:

$ sudo grep "^log_file" /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Find the group that owns audit logs:

$ sudo grep "^log_group" /etc/audit/auditd.conf
log_group = root

Run the following command to check the mode of the system audit logs:

$ sudo stat -c "%a %n" [audit_log_directory]

Replace "[audit_log_directory]" to the correct audit log directory path; by default this location is "/var/log/audit".

If the log_group is "root" or is not set, the correct permissions are "0700".

If the log_group is owned by anyone other than "root", the correct permissions are "0750".

If audit logs have a more permissive mode than is required, this is a finding.

Fix

Configure RHEL 10 so that the audit log directories have a mode of "0750" or less permissive to prevent unauthorized read access with the following command:

$ sudo chmod 0700 /var/log/audit

Note: The correct permissions are "0700" if the directory is owned by "root"; otherwise, the correct permissions are "0750".

Restart the audit daemon with the following command for the changes to take effect:

$ sudo service auditd restart
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.