All audit logs must be group owned by root user. The path for audit log can
be configured via log_file
parameter in /etc/audit/auditd.conf
or, by default, the path for audit log is /var/log/audit/
.
To properly set the group owner of /var/log/audit/*
, run the command:
$ sudo chgrp root /var/log/audit/*
If log_group
in /etc/audit/auditd.conf
is set to a group other
than the root
group account, change the group ownership of the audit logs
to this specific group.