mediumauditverified ✓rollback-safe
Ensure audit log files owner is configured
audit-log-owner · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
Audit log files must be owned by root to prevent unauthorized modification.
Rationale
Incorrect ownership or permissions on audit files could allow unauthorized users to tamper with audit evidence.
Check → Remediate
Checkcommand
find "$(dirname "$(awk -F= '/^log_file/{print $2}' /etc/audit/auditd.conf | tr -d ' ')")" -type f ! -user root 2>/dev/null | head -1- expected_exit:
- 0
Remediatefile_permissions
- find_paths:
- /var/log/audit
- find_type:
- f
- owner:
- root
Framework references
CIS
rhel9 6.3.4.3rhel10 6.3.4.3rhel8 6.3.4.3
STIG
V-281052 / RHEL-10-400175V-230397V-270828 / UBTU-24-901310V-260598 / UBTU-22-653050
NIST 800-53
AU-9
Live verification
rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#audit#permissions