← Rules Catalog
mediumauditverified rollback-safe

Ensure audit log files owner is configured

audit-log-owner · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl

Description

Audit log files must be owned by root to prevent unauthorized modification.

Rationale

Incorrect ownership or permissions on audit files could allow unauthorized users to tamper with audit evidence.

Check → Remediate

Checkcommand
find "$(dirname "$(awk -F= '/^log_file/{print $2}' /etc/audit/auditd.conf | tr -d ' ')")" -type f ! -user root 2>/dev/null | head -1
expected_exit:
0
Remediatefile_permissions
find_paths:
/var/log/audit
find_type:
f
owner:
root

Framework references

CIS

rhel9 6.3.4.3rhel10 6.3.4.3rhel8 6.3.4.3

STIG

V-281052 / RHEL-10-400175V-230397V-270828 / UBTU-24-901310V-260598 / UBTU-22-653050

NIST 800-53

AU-9

Live verification

rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#audit#permissions