UCF STIG Viewer Logo

All system audit files must not have extended ACLs.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22369 GEN002710 SV-63885r1_rule Medium
Description
If a user can write to the audit logs, then audit trails can be modified or destroyed and system intrusion may not be detected.
STIG Date
Oracle Linux 5 Security Technical Implementation Guide 2020-02-25

Details

Check Text ( C-52421r1_chk )
Check the system audit log files for extended ACLs.

Procedure:
# grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs ls -l

If the permissions include a '+', the file has an extended ACL. If the file has an extended ACL and it has not been documented with the IAO, this is a finding.
Fix Text (F-54457r1_fix)
Remove the extended ACL from the system audit file(s).