id: audit_folders_mode_configure
title: "Configure Audit Log Folders to Mode 700 or Less Permissive"
discussion: |
  The audit log folder _MUST_ be configured to mode 700 or less permissive so that only the root user is able to read, write, and execute changes to folders.

  Because audit logs contain sensitive data about the system and users, the audit service _MUST_ be configured to mode 700 or less permissive; thereby preventing normal users from reading, modifying or deleting audit logs.
check: |
  /usr/bin/stat -f %A $(/usr/bin/grep '^dir' /etc/security/audit_control | /usr/bin/awk -F: '{print $2}')
result:
  integer: 700
fix: |
  [source,bash]
  ----
  /bin/chmod 700 /var/audit
  ----
references:
  cce:
    - CCE-92726-9
  cci:
    - CCI-000162
    - CCI-000163
    - CCI-000164
  800-53r5:
    - AU-9
  800-53r4:
    - AU-9
  srg:
    - SRG-OS-000057-GPOS-00027
    - SRG-OS-000058-GPOS-00028
    - SRG-OS-000059-GPOS-00029
  disa_stig:
    - N/A
  800-171r2:
    - 3.3.8
  cis:
    benchmark:
      - 3.5 (level 1)
    controls v8:
      - 3.3
  cmmc:
    - AU.L2-3.3.8
macOS:
  - "14.0"
tags:
  - 800-53r5_low
  - 800-53r5_moderate
  - 800-53r5_high
  - 800-53r4_low
  - 800-53r4_moderate
  - 800-53r4_high
  - 800-171
  - cis_lvl1
  - cis_lvl2
  - cisv8
  - cnssi-1253_moderate
  - cnssi-1253_low
  - cnssi-1253_high
  - cmmc_lvl2
severity: "medium"
mobileconfig: false
mobileconfig_info: