RHEL 9 "/etc/audit/" must be owned by root.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-270175	RHEL-09-232103	SV-270175r1044964_rule		Medium

Description

The "/etc/audit/" directory contains files that ensure the proper auditing of command execution, privilege escalation, file manipulation, and more. Protection of this directory is critical for system security.

STIG	Date
Red Hat Enterprise Linux 9 Security Technical Implementation Guide	2025-05-14

Details

Check Text (C-74208r1044962_chk)

Verify the ownership of the "/etc/audit/" directory with the following command:

$ sudo stat -c "%U %n" /etc/audit/

root /etc/audit/

If the "/etc/audit/" directory does not have an owner of "root", this is a finding.

Fix Text (F-74109r1044963_fix)

Change the owner of the file "/etc/audit/" to "root" by running the following command:

$ sudo chown root /etc/audit/