---
title: Verify User Who Owns /var/log/auth.log File
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Verify User Who Owns /var/log/auth.log
  File
---

# Verify User Who Owns /var/log/auth.log File
 
## Description{% #description %}

To properly set the owner of `/var/log/auth.log`, run the command:

```gdscript3
$ sudo chown syslog /var/log/auth.log 
```

or

```gdscript3
$ sudo chown root /var/log/auth.log 
```

## Rationale{% #rationale %}

The `/var/log/auth.log` file contains records information about user login attempts and authentication processes and should only be accessed by authorized personnel.

## Remediation{% #remediation %}

### Shell script{% #shell-script %}

The following script can be run on the host to remediate the issue.

```bash
#!/bin/bash

newown=""
if id "syslog" >/dev/null 2>&1; then
  newown="syslog"
elif id "root" >/dev/null 2>&1; then
  newown="root"
fi

if [[ -z "$newown" ]]; then
  >&2 echo "syslog and root is not a defined user on the system"
else
if ! stat -c "%u %U" "/var/log/auth.log" | grep -E -w -q "syslog|root"; then
    chown --no-dereference "$newown" /var/log/auth.log
fi

fi
```

### Ansible playbook{% #ansible-playbook %}

The following playbook can be run with Ansible to remediate the issue.

```gdscript3
- name: Check that the syslog user is defined
  ansible.builtin.getent:
    database: passwd
    key: syslog
  ignore_errors: true
  tags:
  - configure_strategy
  - file_owner_var_log_auth
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set the file_owner_var_log_auth_newown variable if syslog found
  ansible.builtin.set_fact:
    file_owner_var_log_auth_newown: syslog
  when: ansible_facts.getent_passwd["syslog"] is defined
  tags:
  - configure_strategy
  - file_owner_var_log_auth
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Check that the root user is defined
  ansible.builtin.getent:
    database: passwd
    key: root
  ignore_errors: true
  when: file_owner_var_log_auth_newown is undefined
  tags:
  - configure_strategy
  - file_owner_var_log_auth
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set the file_owner_var_log_auth_newown variable if root found
  ansible.builtin.set_fact:
    file_owner_var_log_auth_newown: root
  when: ansible_facts.getent_passwd["root"] is defined
  tags:
  - configure_strategy
  - file_owner_var_log_auth
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Test for existence /var/log/auth.log
  ansible.builtin.stat:
    path: /var/log/auth.log
  register: file_exists
  tags:
  - configure_strategy
  - file_owner_var_log_auth
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure owner on /var/log/auth.log
  ansible.builtin.file:
    path: /var/log/auth.log
    follow: false
    owner: '{{ file_owner_var_log_auth_newown }}'
  when: file_exists.stat is defined and file_exists.stat.exists
  tags:
  - configure_strategy
  - file_owner_var_log_auth
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
```