4.1.4.5 Ensure audit configuration files are 640 or more restrictive

Audit

Run the following command to verify that the audit configuration files have mode 640 or more restrictive and are owned by the root user and root group:

# find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) -exec stat -Lc "%n %a" {} + | grep -Pv -- '^\h*\H+\h*([0,2,4,6][0,4]0)\h*$'

Nothing should be returned

Remediation

Run the following command to remove more permissive mode than 0640 from the audit configuration files:

# find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) -exec chmod u-x,g-wx,o-rwx {} +