Detections
Analytics
RHEL-10-400190 - RHEL 10 must enforce the audit log directory to have a mode of "0750" or less permissive to prevent unauthorized read access.
Information
If users can write to audit logs, audit trails can be modified or destroyed.Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
Solution
Configure RHEL 10 so that the audit log directories have a mode of "0750" or less permissive to prevent unauthorized read access with the following command:$ sudo chmod 0700 /var/log/audit
Note: The correct permissions are "0700" if the directory is owned by "root"; otherwise, the correct permissions are "0750".
Restart the audit daemon with the following command for the changes to take effect:
$ sudo service auditd restart
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_10_V1R1_STIG.zip
Item Details
Audit Name: DISA Red Hat Enterprise Linux 10 STIG v1r1
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-9, CAT|II, CCI|CCI-000162, CCI|CCI-000163, CCI|CCI-000164, Rule-ID|SV-281055r1165520_rule, STIG-ID|RHEL-10-400190, Vuln-ID|V-281055
Plugin: Unix
Control ID: 78e52df6713e4f85baf4dc60dd8cb1fb6664fad71937616948cb1f0b14e6dda4