← Rules Catalog
mediumauditverified ✓✓rollback-safe

Audit access to /var/log/journal (Ubuntu)

audit-watch-journal · UBUNTU ≥ 22 · 1 impl

Description

Modifications to /var/log/journal must generate an audit record so that access to the systemd journal can be traced to an individual.

Rationale

Auditing this path supports detection of unauthorized changes and forensic reconstruction of events.

Check → Remediate

Checkaudit_rule_exists
rule:
-w /var/log/journal -p wa -k systemd_journal
Remediateaudit_rule_set
rule:
-w /var/log/journal -p wa -k systemd_journal
persist_file:
/etc/audit/rules.d/50-watch-journal.rules

Framework references

STIG

V-270715 / UBTU-24-300029V-260640 / UBTU-22-654190

NIST 800-53

AU-2AU-12

Live verification

ubuntu22:checkubuntu24:checkubuntu24:remediate
#audit#auditd#watch