Skip to content

6.2.4.1 Ensure audit log files mode is configured

Audit#

Run the following script to verify audit log files are mode 0640 or more restrictive: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#!/usr/bin/env bash
{
l_perm_mask="0137"
if [ -e "/etc/audit/auditd.conf" ]; then
l_audit_log_directory="$(dirname "$(awk -F= '/^\s*log_file\s*/{print $2}' /etc/audit/auditd.conf | xargs)")"
if [ -d "$l_audit_log_directory" ]; then
l_maxperm="$(printf '%o' $(( 0777 & ~$l_perm_mask )) )"
a_files=()
while IFS= read -r -d $'\0' l_file; do
[ -e "$l_file" ] && a_files+=("$l_file")
done < <(find "$l_audit_log_directory" -maxdepth 1 -type f -perm /"$l_perm_mask" -print0)
if (( "${#a_files[@]}" > 0 )); then
for l_file in "${a_files[@]}"; do
l_file_mode="$(stat -Lc '%#a' "$l_file")"
echo -e "\n- Audit Result:\n ** FAIL **\n - File: \"$l_file\" is mode: \"$l_file_mode\"\n (should be mode: \"$l_maxperm\" or more restrictive)\n"
done
else
echo -e "\n- Audit Result:\n ** PASS **\n - All files in \"$l_audit_log_directory\" are mode: \"$l_maxperm\" or more restrictive"
fi
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Log file directory not set in \"/etc/audit/auditd.conf\" please set log file directory"
fi
else
echo -e "\n- Audit Result:\n ** FAIL **\n - File: \"/etc/audit/auditd.conf\" not found.\n - ** Verify auditd is installed **"
fi
}

Remediation#

Run the following command to remove more permissive mode than 0640 from audit log files: 

# [ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f -perm /0137 -exec chmod u-x,g-wx,o-rwx {} +