← Rules Catalog
mediumauditverified rollback-safe

Ensure /etc/audit/ is owned by root

audit-config-dir-owner · RHEL ≥ 8 · 1 impl

Description

The /etc/audit/ directory must be owned by root to prevent unauthorized modification of audit configuration.

Rationale

Unauthorized changes to audit configuration could disable auditing or redirect audit records, allowing malicious activity to go undetected.

Check → Remediate

Checkfile_permission
path:
/etc/audit
owner:
root
Remediatefile_permissions
path:
/etc/audit
owner:
root

Framework references

STIG

V-281056 / RHEL-10-400195V-270175V-230400

NIST 800-53

AU-9AC-6

Live verification

rhel8:checkrhel9:check
#audit#permissions#configuration