Navigate

Check: GEN002717

AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE: GEN002717 (in versions v1 r14 through v1 r10)

Title

System audit tool executables must have mode 0750 or less permissive. (Cat III impact)

Discussion

To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected.

Check Content

Determine if system audit tool executables have a mode more permissive than 0750. If any do, this is a finding. Audit tools include, but are not limited to, audit, auditcat, auditconv, auditpr, auditselect, auditstream, auditbin, and auditmerge.

Fix Text

Many audit tools have SUID bit set. Before changing permissions on system audit tool executables, check the file permissions for SUID bits. Change the mode of system audit tool executables to 0750. #chmod 0750 or 4750 <system audit tool executable> Document all changes made.

Additional Identifiers

Rule ID: SV-38778r1_rule

Vulnerability ID: V-22372

Group Title: GEN002717

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-001493	The information system protects audit tools from unauthorized access.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AU-9	Protection Of Audit Information