System Audit Logs Must Be Owned By Root

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.


All audit logs must be owned by root user. The path for audit log can be configured via log_file parameter in


or by default, the path for audit log is



To properly set the owner of /var/log/audit/*, run the command:

$ sudo chown root /var/log/audit/* 


Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.


Shell script

The following script can be run on the host to remediate the issue.


# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then

if LC_ALL=C grep -iw log_file /etc/audit/auditd.conf; then
    FILE=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
    chown root $FILE*
    chown root /var/log/audit/audit.log*

    >&2 echo 'Remediation is not applicable, nothing was done'