Audit log files must not contain ACLs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-51631	OSX8-00-00345	SV-65841r1_rule		Medium

Description
Audit log files should not contain ACLs.

STIG	Date
Apple OS X 10.8 (Mountain Lion) Workstation STIG	2015-02-10

Details

Check Text ( C-53943r2_chk )
To check for ACLs of the audit log files, run the following command: sudo ls -le `sudo grep "^dir" /etc/security/audit_control \| awk -F: '{print $2 "/*"}'` \| grep -v current The audit log files listed should not contain ACLs. ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity" ). If any file contains this information, this is a finding.

Check Text ( C-53943r2_chk )

To check for ACLs of the audit log files, run the following command:

sudo ls -le `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current

The audit log files listed should not contain ACLs. ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity" ). If any file contains this information, this is a finding.

Fix Text (F-56433r1_fix)
For any log file that returns an ACL, run the following command: sudo chmod -N [audit log file] where [audit log file] is the full path to the log file in question.