The audit log files must not contain ACLs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-51667	OSX8-00-00225	SV-65877r1_rule		Medium

Description
The audit log files should not contain ACLs.

STIG	Date
Apple OS X 10.8 (Mountain Lion) Workstation STIG	2015-02-10

Details

Check Text ( C-53973r3_chk )
To check for ACLs of the audit log files, run the following command: sudo ls -le `sudo grep "^dir" /etc/security/audit_control \| awk -F: '{print $2 "/*"}'` \| grep -v current The audit log files listed should not contain ACLs. ACLs will be listed under any file that may contain them. i.e. "0: group:admin allow list,readattr,reaadextattr,readsecurity". If any file contains this information, this is a finding.

Check Text ( C-53973r3_chk )

To check for ACLs of the audit log files, run the following command:

sudo ls -le `sudo grep "^dir" /etc/security/audit_control | awk -F: '{print $2 "/*"}'` | grep -v current

The audit log files listed should not contain ACLs. ACLs will be listed under any file that may contain them. i.e. "0: group:admin allow list,readattr,reaadextattr,readsecurity".

If any file contains this information, this is a finding.

Fix Text (F-56467r1_fix)
For any log file that returns an ACL, run the following command: chmod -N [audit log file] where [audit log file] is the full path to the log file in question.