mediumauditverified ✓
Ensure audit tools mode is configured
audit-tools-permissions · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
Audit tool binaries must have restrictive permissions.
Rationale
Incorrect ownership or permissions on audit files could allow unauthorized users to tamper with audit evidence.
Check → Remediate
Checkcommand
stat -c '%a' /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules 2>/dev/null | awk '{if ($1+0 > 755) exit 1}'- expected_exit:
- 0
Remediatecommand_exec
chmod 755 /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules
Framework references
CIS
rhel9 6.3.4.8rhel10 6.3.4.8ubuntu24 6.2.4.8ubuntu22 6.2.4.8rhel8 6.3.4.8
STIG
V-281094 / RHEL-10-400450V-257887 / RHEL-09-232035V-230472V-270821 / UBTU-24-901230V-260492 / UBTU-22-232035
NIST 800-53
AU-9AC-6
Live verification
rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#audit#permissions