← Rules Catalog
mediumauditverified rollback-safe

Ensure audit log files group owner is configured

audit-log-group · RHEL ≥ 8 · 1 impl

Description

Audit log files must be group-owned by root or adm to prevent unauthorized access.

Rationale

Incorrect ownership or permissions on audit files could allow unauthorized users to tamper with audit evidence.

Check → Remediate

Checkcommand
find "$(dirname "$(awk -F= '/^log_file/{print $2}' /etc/audit/auditd.conf | tr -d ' ')")" -type f ! -group root ! -group adm 2>/dev/null | head -1
expected_exit:
0
Remediatefile_permissions
find_paths:
/var/log/audit
find_type:
f
group:
root

Framework references

CIS

rhel9 6.3.4.4rhel10 6.3.4.4rhel8 6.3.4.4

STIG

V-281050 / RHEL-10-400165V-281053 / RHEL-10-400180V-258165 / RHEL-09-653080V-230398

NIST 800-53

AU-9

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#permissions