NixOS audit log directory must have a mode of 0700 or less permissive.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-268113	SRG-OS-000057-GPOS-00027	ANIX-00-000550	SV-268113r1039227_rule	2024-10-25	1

Description
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit NixOS system activity.

ℹ️ Check
Verify that the audit log directory has a mode of "0700" or less permissive. First, determine where the audit logs are stored with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, check if the audit log directory has a mode of "0700" or less by using the following command: $ sudo find /var/log/audit -type d -exec stat -c "%a %n" {} \; 700 /var/log/audit If the audit log directory (or any subfolders) has a mode more permissive than "0700", this is a finding.

ℹ️ Check

Verify that the audit log directory has a mode of "0700" or less permissive. First, determine where the audit logs are stored with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, check if the audit log directory has a mode of "0700" or less by using the following command: $ sudo find /var/log/audit -type d -exec stat -c "%a %n" {} \; 700 /var/log/audit If the audit log directory (or any subfolders) has a mode more permissive than "0700", this is a finding.

✔️ Fix
Configure the audit log directory to have a mode of "0700" or less permissive. Using the path of the directory containing the audit logs, configure the audit log directory to have a mode of "0700" or less permissive by using the following command: $ sudo chmod 0700 /var/log/audit