SLEM 5 audit tools must have the proper permissions configured to protect against unauthorized access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-261419	SLEM-05-653055	SV-261419r996668_rule		Medium

Description
Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information. SLEM 5 providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open-source audit tools needed to view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Description

Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information. SLEM 5 providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open-source audit tools needed to view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

STIG	Date
SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide	2024-06-04

Details

Check Text ( C-65148r996666_chk )
To protect from unauthorized access verify that SLEM 5 audit tools have the proper permissions configured in the permissions profile by using the following command: > grep "^/usr/sbin/au" /etc/permissions.local /usr/sbin/audispd root:root 750 /usr/sbin/auditctl root:root 750 /usr/sbin/auditd root:root 750 /usr/sbin/ausearch root:root 755 /usr/sbin/aureport root:root 755 /usr/sbin/autrace root:root 750 /usr/sbin/augenrules root:root 750 If the command does not return any output, this is a finding.

Check Text ( C-65148r996666_chk )

To protect from unauthorized access verify that SLEM 5 audit tools have the proper permissions configured in the permissions profile by using the following command:

> grep "^/usr/sbin/au" /etc/permissions.local
/usr/sbin/audispd root:root 750
/usr/sbin/auditctl root:root 750
/usr/sbin/auditd root:root 750
/usr/sbin/ausearch root:root 755
/usr/sbin/aureport root:root 755
/usr/sbin/autrace root:root 750
/usr/sbin/augenrules root:root 750

If the command does not return any output, this is a finding.

Fix Text (F-65056r996667_fix)
Configure SLEM 5 audit tools to have proper permissions set in the permissions profile. Add or modify the following lines in the "/etc/permissions.local" file: /usr/sbin/audispd root:root 750 /usr/sbin/auditctl root:root 750 /usr/sbin/auditd root:root 750 /usr/sbin/ausearch root:root 755 /usr/sbin/aureport root:root 755 /usr/sbin/autrace root:root 750 /usr/sbin/augenrules root:root 750