← Rules Catalog
mediumloggingverified rollback-safe

Ensure the journalctl command is owned by root

journalctl-command-owner · UBUNTU ≥ 22 · 1 impl

Description

The /usr/bin/journalctl command must be owned by root so that only the root account can replace or tamper with the binary used to read the systemd journal.

Rationale

A journalctl binary owned by a non-root account could be modified by that account to hide or alter journal output, undermining the integrity of the audit and operational record.

Check → Remediate

Checkfile_permission
path:
/usr/bin/journalctl
owner:
root
Remediatefile_permissions
path:
/usr/bin/journalctl
owner:
root

Framework references

STIG

V-270759 / UBTU-24-700040V-260505 / UBTU-22-232100

NIST 800-53

SI-11AC-6

Live verification

ubuntu22:checkubuntu24:check
#journald#permissions#logging