mediumauditverified ✓rollback-safe
Ensure audit configuration files owner is configured
audit-config-owner · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
Audit configuration files must be owned by root.
Rationale
Incorrect ownership or permissions on audit files could allow unauthorized users to tamper with audit evidence.
Check → Remediate
Checkcommand
find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -user root 2>/dev/null | head -1
- expected_exit:
- 0
Remediatefile_permissions
- find_paths:
- /etc/audit/
- find_type:
- f
- find_args:
- \( -name '*.conf' -o -name '*.rules' \)
- owner:
- root
Framework references
CIS
rhel9 6.3.4.6rhel10 6.3.4.6rhel8 6.3.4.6
STIG
V-270776 / UBTU-24-900050V-260602 / UBTU-22-653070
NIST 800-53
AU-9
Live verification
rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#audit#permissions