Profile Applicability:
Level 1

Description:
 Audit configuration files control how auditing is performed on the system. Ensuring these files are owned by the root user restricts unauthorized modifications, preserving the integrity and reliability of the auditing process.

Rationale:
 Proper ownership prevents unauthorized users from altering audit settings, which is critical for maintaining effective security monitoring and compliance.

Impact:
 Pros:

  • Protects audit configurations from unauthorized changes.

  • Supports trustworthy security auditing.

Cons:

  • Incorrect ownership may interfere with legitimate audit processes.

Default Value:
 Audit configuration files typically have root ownership, but verification is necessary.

Pre-requisites:

  • Root or sudo privileges to audit and modify file ownership.

Remediation:

Test Plan:

Using Linux command line:

  1. Identify audit configuration files:

    ls -l /etc/audit/audit.rules /etc/audit/rules.d/

  2. Verify ownership is set to root for these files.

Implementation Plan:

Using Linux command line:

  1. Change ownership to root:

    chown root /etc/audit/audit.rules  
chown -R root /etc/audit/rules.d/

  1. Verify changes:

    ls -l /etc/audit/audit.rules /etc/audit/rules.d/

Backout Plan:

Using Linux command line:

  1. Restore previous ownership from backups if needed.

  2. Test audit service functionality.

References: