RHEL 9 "/etc/audit/" must be group-owned by root.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-270176	RHEL-09-232104	SV-270176r1044967_rule		Medium

Description

The "/etc/audit/" directory contains files that ensure the proper auditing of command execution, privilege escalation, file manipulation, and more. Protection of this directory is critical for system security.

STIG	Date
Red Hat Enterprise Linux 9 Security Technical Implementation Guide	2025-05-14

Details

Check Text (C-74209r1044965_chk)

Verify the group ownership of the "/etc/audit/" directory with the following command:

$ sudo stat -c "%G %n" /etc/audit/

root /etc/audit/

If "/etc/audit/" does not have a group owner of "root", this is a finding.

Fix Text (F-74110r1044966_fix)

Change the group of the file "/etc/audit/" to "root" by running the following command:

$ sudo chgrp root /etc/audit/