← Rules Catalog
mediumauditverified

Ensure audit tools owner is configured

audit-tools-owner · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl

Description

Audit tool binaries must be owned by root.

Rationale

Incorrect ownership or permissions on audit files could allow unauthorized users to tamper with audit evidence.

Check → Remediate

Checkcommand
find /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules -type f ! -user root 2>/dev/null | head -1
expected_exit:
0
Remediatecommand_exec
chown root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules

Framework references

CIS

rhel9 6.3.4.9rhel10 6.3.4.9ubuntu24 6.2.4.9ubuntu22 6.2.4.9rhel8 6.3.4.9

STIG

V-281077 / RHEL-10-400300V-257924 / RHEL-09-232220V-230473V-270822 / UBTU-24-901240V-260507 / UBTU-22-232110

NIST 800-53

AU-9AC-6

Live verification

rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#audit#permissions