4.1.4.9 Ensure audit tools are owned by root

Audit

Run the following command to verify the audit tools have mode 755 or more restrictive, are owned by the root user and group root:

# stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules | grep -Pv -- '^\h*\H+\h+root\h*$'

Nothing should be returned

Remediation

Run the following command to change the owner of the audit tools to the root user:

# chown root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules