Skip to content

4.1.4.10 Ensure audit tools belong to group root

Audit#

Run the following command to verify the audit tools have mode 755 or more restrictive, are owned by the root user and group root: 

# stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules | grep -Pv -- '^\h*\H+\h+([0-7][0,1,4,5][0,1,4,5])\h+root\h+root\h*$'

Nothing should be returned

Remediation#

Run the following command to remove more permissive mode from the audit tools: 

# chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules

Run the following command to change owner and group of the audit tools to root user and group: 

# chown root:root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules