highauditverified ✓rollback-safe
Set permissions on audit configuration files
audit-config-permissions · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
Audit configuration files in /etc/audit must have restrictive permissions (0640 or more restrictive) to prevent unauthorized modification of audit settings.
Rationale
Audit configuration controls what events are logged. Unauthorized modification could allow attackers to disable auditing of their activities or create blind spots.
Check → Remediate
Checkcommand
find /etc/audit -type f \( ! -perm 640 -a ! -perm 600 -o ! -user root -o ! -group root \) 2>/dev/null | head -1
- expected_exit:
- 0
Remediatefile_permissions
- find_paths:
- /etc/audit
- find_type:
- f
- owner:
- root
- group:
- root
- mode:
- 0640
Framework references
CIS
rhel9 6.3.4.5rhel10 6.3.4.5rhel8 6.3.4.5
STIG
V-281101 / RHEL-10-500025V-281364 / RHEL-10-900000V-258171 / RHEL-09-653110V-230471V-270775 / UBTU-24-900040V-260601 / UBTU-22-653065
NIST 800-53
AU-9AC-6
Live verification
rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#audit#permissions#configuration#security