STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.

DISA Rule

SV-230396r627750_rule

Vulnerability Number

V-230396

Group Title

SRG-OS-000057-GPOS-00027

Rule Version

RHEL-08-030070

Severity

CAT II

CCI(s)

• CCI-000162 - The information system protects audit information from unauthorized access.

Weight

10

Fix Recommendation

Configure the audit log to be protected from unauthorized read access by configuring the log group in the /etc/audit/auditd.conf file:

log_group = root

Check Contents

Verify the audit logs have a mode of "0600" or less permissive.

First, determine where the audit logs are stored with the following command:

$ sudo grep -iw log_file /etc/audit/auditd.conf

log_file = /var/log/audit/audit.log

Using the location of the audit log file, check if the audit log has a mode of "0600" or less permissive with the following command:

$ sudo stat -c "%a %n" /var/log/audit/audit.log

600 /var/log/audit/audit.log

If the audit log has a mode more permissive than "0600", this is a finding.

Vulnerability Number

V-230396

Documentable

False

Rule Version

RHEL-08-030070

Severity Override Guidance

Verify the audit logs have a mode of "0600" or less permissive.

First, determine where the audit logs are stored with the following command:

$ sudo grep -iw log_file /etc/audit/auditd.conf

log_file = /var/log/audit/audit.log

Using the location of the audit log file, check if the audit log has a mode of "0600" or less permissive with the following command:

$ sudo stat -c "%a %n" /var/log/audit/audit.log

600 /var/log/audit/audit.log

If the audit log has a mode more permissive than "0600", this is a finding.

Check Content Reference

M

Target Key

2921

Comments