← Rules Catalog
mediumauditverified rollback-safe

Ensure audit configuration files owner is configured

audit-config-owner · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl

Description

Audit configuration files must be owned by root.

Rationale

Incorrect ownership or permissions on audit files could allow unauthorized users to tamper with audit evidence.

Check → Remediate

Checkcommand
find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -user root 2>/dev/null | head -1
expected_exit:
0
Remediatefile_permissions
find_paths:
/etc/audit/
find_type:
f
find_args:
\( -name '*.conf' -o -name '*.rules' \)
owner:
root

Framework references

CIS

rhel9 6.3.4.6rhel10 6.3.4.6rhel8 6.3.4.6

STIG

V-270776 / UBTU-24-900050V-260602 / UBTU-22-653070

NIST 800-53

AU-9

Live verification

rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#audit#permissions