NixOS audit log directory must have a mode of 0700 or less permissive.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268113 | ANIX-00-000550 | SV-268113r1039227_rule | Medium |
| Description |
| Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit NixOS system activity. |
| STIG | Date |
| Anduril NixOS Security Technical Implementation Guide | 2024-10-25 |
Details
| Check Text (C-72037r1039225_chk) |
| Verify that the audit log directory has a mode of "0700" or less permissive. First, determine where the audit logs are stored with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, check if the audit log directory has a mode of "0700" or less by using the following command: $ sudo find /var/log/audit -type d -exec stat -c "%a %n" {} \; 700 /var/log/audit If the audit log directory (or any subfolders) has a mode more permissive than "0700", this is a finding. |
| Fix Text (F-71940r1039226_fix) |
| Configure the audit log directory to have a mode of "0700" or less permissive. Using the path of the directory containing the audit logs, configure the audit log directory to have a mode of "0700" or less permissive by using the following command: $ sudo chmod 0700 /var/log/audit |