mediumloggingverified ✓rollback-safe
Ensure the journalctl command is owned by root
journalctl-command-owner · UBUNTU ≥ 22 · 1 impl
Description
The /usr/bin/journalctl command must be owned by root so that only the root account can replace or tamper with the binary used to read the systemd journal.
Rationale
A journalctl binary owned by a non-root account could be modified by that account to hide or alter journal output, undermining the integrity of the audit and operational record.
Check → Remediate
Checkfile_permission
- path:
- /usr/bin/journalctl
- owner:
- root
Remediatefile_permissions
- path:
- /usr/bin/journalctl
- owner:
- root
Framework references
STIG
V-270759 / UBTU-24-700040V-260505 / UBTU-22-232100
NIST 800-53
SI-11AC-6
Live verification
ubuntu22:checkubuntu24:check
#journald#permissions#logging