Level 2
Workstation
Server
Logging and Auditing
Configure System Accounting (auditd)
Configure auditd file access
Automated
IG1
IG2
IG3
3.3 Configure Data Access Control Lists
T1070
T1070.002
T1083
TA0007
4.1.4.6 Ensure audit configuration files are owned by root
Audit
Run the following command to verify that the audit configuration files have mode 640 or more restrictive and are owned by the root user and root group:
# find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -user root
Nothing should be returned
Run the following command to change ownership to root user:
# find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -user root -exec chown root {} +