Skip to content

4.1.4.2 Ensure only authorized users own audit log files

Audit#

Run the following command to verify audit log files are owned by the root user: 

# [ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f ! -user root -exec stat -Lc "%n %U" {} +

Nothing should be returned

Remediation#

Run the following command to configure the audit log files to be owned by the root user: 

# [ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f ! -user root -exec chown root {} +