diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml

new file mode 100644

index 00000000000..968ef336148

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/rule.yml

@@ -0,0 +1,39 @@

+documentation_complete: true

+

+title: 'Audit Configuration Files Must Be Owned By Root'

+

+description: |-

+    All audit configuration files must be owned by root user.

+    {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}

+    {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}

+

+rationale: |-

+    Without the capability to restrict which roles and individuals can

+    select which events are audited, unauthorized personnel may be able

+    to prevent the auditing of critical events.

+    Misconfigured audits may degrade the system's performance by

+    overwhelming the audit log. Misconfigured audits may also make it more

+    difficult to establish, correlate, and investigate the events relating

+    to an incident or identify those responsible for one.

+

+severity: medium

+

+references:

+    disa: CCI-000171

+    srg: SRG-OS-000063-GPOS-00032

+    stigid@ubuntu2004: UBTU-20-010134

+

+ocil: |-

+    {{{ describe_file_owner(file="/etc/audit/", owner="root") }}}

+    {{{ describe_file_owner(file="/etc/audit/rules.d/", owner="root") }}}

+

+template:

+    name: file_owner

+    vars:

+        filepath:

+            - /etc/audit/

+            - /etc/audit/rules.d/

+        file_regex:

+            - ^audit(\.rules|d\.conf)$

+            - ^.*\.rules$

+        fileuid: '0'

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh

new file mode 100644

index 00000000000..4d67307a1ef

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/correct_owner.pass.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+# packages = audit

+

+chown 0 /etc/audit/audit.rules

+chown 0 /etc/audit/auditd.conf

+chown 0 -R /etc/audit/rules.d/

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh

new file mode 100644

index 00000000000..337074fab92

--- /dev/null

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_audit_configuration/tests/incorrect_owner.fail.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+# packages = audit

+

+useradd testuser_123

+chown testuser_123 /etc/audit/audit.rules

+chown testuser_123 /etc/audit/auditd.conf

+chown testuser_123 -R /etc/audit/rules.d/

diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml

new file mode 100644

index 00000000000..f1bf515455d

--- /dev/null

+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_syslog/rule.yml

@@ -0,0 +1,27 @@

+documentation_complete: true

+

+title: 'Verify User Who Owns /var/log/syslog File'

+

+description: '{{{ describe_file_owner(file="/var/log/syslog", owner="syslog") }}}'

+

+rationale: |-

+    The <tt>/var/log/syslog</tt> file contains logs of error messages in

+    the system and should only be accessed by authorized personnel.

+

+severity: medium

+

+references:

+    disa: CCI-001314

+    srg: SRG-OS-000206-GPOS-00084

+    stigid@ubuntu2004: UBTU-20-010421

+

+ocil_clause: '{{{ ocil_clause_file_owner(file="/var/log/syslog", owner="syslog") }}}'

+

+ocil: |-

+    {{{ ocil_file_owner(file="/var/log/syslog", owner="syslog") }}}

+

+template:

+    name: file_owner

+    vars:

+        filepath: /var/log/syslog

+        fileuid: '104'

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml

new file mode 100644

index 00000000000..e2362388678

--- /dev/null

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml

@@ -0,0 +1,55 @@

+documentation_complete: true

+

+title: 'Verify that System Executable Have Root Ownership'

+

+description: |-

+    
/bin

+    /sbin

+    /usr/bin

+    /usr/sbin

+    /usr/local/bin

+    /usr/local/sbin

+    All these directories should be owned by the <tt>root</tt> user.

+    If any directory DIR in these directories is found

+    to be owned by a user other than root, correct its ownership with the

+    following command:

+    
$ sudo chown root DIR

+

+rationale: |-

+    System binaries are executed by privileged users as well as system services,

+    and restrictive permissions are necessary to ensure that their

+    execution of these programs cannot be co-opted.

+

+severity: medium

+

+references:

+    disa: CCI-001495

+    srg: SRG-OS-000258-GPOS-00099

+    stigid@ubuntu2004: UBTU-20-010424

+

+ocil_clause: 'any system exectables directories are found to not be owned by root'

+

+ocil: |-

+    System executables are stored in the following directories by default:

+    
/bin

+    /sbin

+    /usr/bin

+    /usr/local/bin

+    /usr/local/sbin

+    /usr/sbin

+    For each of these directories, run the following command to find files

+    not owned by root:

+    
$ sudo find -L DIR/ ! -user root -type d -exec chown root {} \;

+

+template:

+    name: file_owner

+    vars:

+        filepath:

+            - /bin/

+            - /sbin/

+            - /usr/bin/

+            - /usr/sbin/

+            - /usr/local/bin/

+            - /usr/local/sbin/

+        recursive: 'true'

+        fileuid: '0'

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml

new file mode 100644

index 00000000000..0c7d9b313d5

--- /dev/null

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_audit_binaries/rule.yml

@@ -0,0 +1,77 @@

+documentation_complete: true

+

+prodtype: ubuntu2004

+

+title: 'Verify that audit tools are owned by root'

+

+description: |-

+    The {{{ full_name }}} operating system audit tools must have the proper

+    ownership configured to protected against unauthorized access.

+

+    Verify it by running the following command:

+    
$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules

+

+    /sbin/auditctl root

+    /sbin/aureport root

+    /sbin/ausearch root

+    /sbin/autrace root

+    /sbin/auditd root

+    /sbin/audispd root

+    /sbin/augenrules root

+    

+

+    Audit tools needed to successfully view and manipulate audit information

+    system activity and records. Audit tools include custom queries and report

+    generators

+

+rationale: |-

+    Protecting audit information also includes identifying and protecting the

+    tools used to view and manipulate log data. Therefore, protecting audit

+    tools is necessary to prevent unauthorized operation on audit information.

+ 

+    Operating systems providing tools to interface with audit information

+    will leverage user permissions and roles identifying the user accessing the

+    tools and the corresponding rights the user enjoys to make access decisions

+    regarding the access to audit tools.

+

+severity: medium

+

+references:

+    disa: CCI-001493,CCI-001494

+    srg: SRG-OS-000256-GPiOS-00097,SRG-OS-000257-GPOS-00098

+    stigid@ubuntu2004: UBTU-20-010200

+

+ocil: |-

+    Verify it by running the following command:

+    
$ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules

+

+    /sbin/auditctl root

+    /sbin/aureport root

+    /sbin/ausearch root

+    /sbin/autrace root

+    /sbin/auditd root

+    /sbin/audispd root

+    /sbin/augenrules root

+    

+

+    If the command does not return all the above lines, the missing ones

+    need to be added.

+

+    Run the following command to correct the permissions of the missing

+    entries:

+    
$ sudo chown root [audit_tool] 

+

+    Replace "[audit_tool]" with each audit tool not owned by root.

+

+template:

+    name: file_owner

+    vars:

+        filepath:

+            - /sbin/auditctl

+            - /sbin/aureport

+            - /sbin/ausearch

+            - /sbin/autrace

+            - /sbin/auditd

+            - /sbin/audispd

+            - /sbin/augenrules

+        fileuid: '0'

diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template

index 80eaae8d50b..590c9fc6055 100644

--- a/shared/templates/file_owner/ansible.template

+++ b/shared/templates/file_owner/ansible.template

@@ -25,7 +25,7 @@

 - name: Ensure owner on {{{ path }}} recursively

   file:

-    paths "{{{ path }}}"

+    path: "{{{ path }}}"

     state: directory

     recurse: yes

     owner: "{{{ FILEUID }}}"

diff --git a/shared/templates/file_owner/tests/missing_file_test.pass.sh b/shared/templates/file_owner/tests/missing_file_test.pass.sh

index 938e6b30819..4e3683f9dcf 100644

--- a/shared/templates/file_owner/tests/missing_file_test.pass.sh

+++ b/shared/templates/file_owner/tests/missing_file_test.pass.sh

@@ -1,8 +1,18 @@

 #!/bin/bash

 #

-{{% if MISSING_FILE_PASS %}}

-    rm -f {{{ FILEPATH }}}

-{{% else %}}

-    true

-{{% endif %}}

+{{% for path in FILEPATH %}}

+    {{% if MISSING_FILE_PASS %}}

+        rm -f {{{ path }}}

+    {{% else %}}

+        {{% if IS_DIRECTORY and RECURSIVE %}}

+        find -L {{{ path }}} -type d -exec chown {{{ FILEUID }}} {} \;

+        {{% else %}}

+        if [ ! -f {{{ path }}} ]; then

+            mkdir -p "$(dirname '{{{ path }}}')"

+            touch {{{ path }}}

+        fi

+        chown {{{ FILEUID }}} {{{ path }}}

+        {{% endif %}}

+    {{% endif %}}

+{{% endfor %}}