UCF STIG Viewer Logo

All system audit files must not have extended ACLs.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22369 GEN002710 SV-26501r1_rule ECTP-1 Medium
Description
If a user can write to the audit logs, then audit trails can be modified or destroyed and system intrusion may not be detected.
STIG Date
SOLARIS 9 X86 SECURITY TECHNICAL IMPLEMENTATION GUIDE 2015-10-01

Details

Check Text ( C-27556r1_chk )
Check the audit configuration to determine the location of the system audit log files.
# more /etc/security/audit_control
Check the system audit log files for extended ACLs.
# ls -la [audit log dir]
If the permissions include a "+", the file has an extended ACL and this is a finding.
Fix Text (F-23735r1_fix)
Remove the extended ACL from the file.
# getfacl [audit file]
Remove each ACE returned.
# setfacl -d [ACE] [audit file]