← Rules Catalog
highauditverified rollback-safe

Set permissions on audit configuration files

audit-config-permissions · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl

Description

Audit configuration files in /etc/audit must have restrictive permissions (0640 or more restrictive) to prevent unauthorized modification of audit settings.

Rationale

Audit configuration controls what events are logged. Unauthorized modification could allow attackers to disable auditing of their activities or create blind spots.

Check → Remediate

Checkcommand
find /etc/audit -type f \( ! -perm 640 -a ! -perm 600 -o ! -user root -o ! -group root \) 2>/dev/null | head -1
expected_exit:
0
Remediatefile_permissions
find_paths:
/etc/audit
find_type:
f
owner:
root
group:
root
mode:
0640

Framework references

CIS

rhel9 6.3.4.5rhel10 6.3.4.5rhel8 6.3.4.5

STIG

V-281101 / RHEL-10-500025V-281364 / RHEL-10-900000V-258171 / RHEL-09-653110V-230471V-270775 / UBTU-24-900040V-260601 / UBTU-22-653065

NIST 800-53

AU-9AC-6

Live verification

rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#audit#permissions#configuration#security