{"description": "Files containing sensitive information should be protected by restrictive\npermissions. Most of the time, there is no need that these files need to be\nread by any non-root user.\n\nCheck that \"permissions.local\" file contains the correct permissions rules with the following command:\n\n<pre># grep -i audit /etc/permissions.local\n\n/var/log/audit/ root:root 600\n/var/log/audit/audit.log root:root 600\n/etc/audit/audit.rules root:root 640\n/etc/audit/rules.d/audit.rules root:root 640</pre>", "rationale": "Without the capability to restrict which roles and individuals can select\nwhich events are audited, unauthorized personnel may be able to prevent the\nauditing of critical events. Misconfigured audits may degrade the system's\nperformance by overwhelming the audit log. Misconfigured audits may also\nmake it more difficult to establish, correlate, and investigate the events\nrelating to an incident or identify those responsible for one.", "severity": "medium", "references": {"nist": ["AU-9"], "srg": ["SRG-OS-000057-GPOS-00027", "SRG-OS-000058-GPOS-00028", "SRG-OS-000059-GPOS-00029"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": "\nCheck that <tt>permissions.local</tt> file contains the correct permissionsi\nrules with the following command:\n\n<pre># grep -i audit /etc/permissions.local\n\n/var/log/audit/ root:root 600\n/var/log/audit/audit.log root:root 600\n/etc/audit/audit.rules root:root 640\n/etc/audit/rules.d/audit.rules root:root 640</pre>\n\nIf the command does not return all the above lines, the missing ones need\nto be added.\n\nRun the following command to correct the permissions after adding missing\nentries:\n\n<pre># sudo chkstat --set --system</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Verify that Local Logs of the audit Daemon are not World-Readable", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml", "template": null}