Skip to content

4.1.4.8 Ensure audit tools are 755 or more restrictive

Audit#

Run the following command to verify the audit tools have mode 755 or more restrictive, are owned by the root user and group root:

# stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules | grep -Pv -- '^\h*\H+\h+([0-7][0,1,4,5][0,1,4,5])\h*$'

Nothing should be returned

Remediation#

Run the following command to remove more permissive mode from the audit tools:

# chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules