mediumauditverified ✓rollback-safe
Ensure audit log files group owner is configured
audit-log-group · RHEL ≥ 8 · 1 impl
Description
Audit log files must be group-owned by root or adm to prevent unauthorized access.
Rationale
Incorrect ownership or permissions on audit files could allow unauthorized users to tamper with audit evidence.
Check → Remediate
Checkcommand
find "$(dirname "$(awk -F= '/^log_file/{print $2}' /etc/audit/auditd.conf | tr -d ' ')")" -type f ! -group root ! -group adm 2>/dev/null | head -1- expected_exit:
- 0
Remediatefile_permissions
- find_paths:
- /var/log/audit
- find_type:
- f
- group:
- root
Framework references
CIS
rhel9 6.3.4.4rhel10 6.3.4.4rhel8 6.3.4.4
STIG
V-281050 / RHEL-10-400165V-281053 / RHEL-10-400180V-258165 / RHEL-09-653080V-230398
NIST 800-53
AU-9
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#permissions