{"description": "Determine where the audit logs are stored with the following command:\n<pre>$ sudo grep -iw log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log</pre>\n\nUsing the path of the directory containing the audit logs, determine\nif the audit log files have a mode of \"600\" or less by using the following command:\n<pre>$ sudo stat -c \"%n %a\" /var/log/audit/*</pre>", "rationale": "If users can write to audit logs, audit trails can be modified or destroyed.", "severity": "medium", "references": {"srg": ["SRG-OS-000057-GPOS-00027", "SRG-OS-000058-GPOS-00028"], "stigid": ["UBTU-22-653045"], "stigref": ["SV-260597r958434_rule"]}, "control_references": {"stigid": ["UBTU-22-653045"]}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": null, "oval_external_content": null, "fixtext": "Configure correct permissions of system audit logs.\n\nDetermine the location of the system audit logs:\n<pre>$ sudo grep -iw log_file /etc/audit/auditd.conf\n\nUsing the path of the directory containing the audit logs,\nconfigure the audit log files to have a mode of \"0600\" or\nless permissive by using the following command:\n<pre>$ sudo chmod 0600 /var/log/audit/*</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "System Audit Logs Must Have Mode 0600 or Less Permissive", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/file_permissions_var_log_audit_stig/rule.yml", "template": null}