Check: GEN002716
HP-UX 11.23 STIG:
GEN002716
(in version v1 r8)
Title
System audit tool executables must be group-owned by root, bin, sys, or other. (Cat III impact)
Discussion
To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected.
Check Content
Verify the audit tools are group-owned by root, bin, sys, or other. The list of files should minimally include the following: audevent - Change/display event/system call status. audfilter - Load/clear/display the audit filtering policy. auditdp - Selectively read/write and convert/format the audit data. audisp - Display audit records. audomon - Audit file monitoring and size parameter setpoints. audsys - Start/stop auditing; set/display the audit file or directory information. userdbset - Select user to be audited. # ls -lL /usr/sbin/aud* /usr/sbin/userdb* If any system audit tool is not group-owned by root, bin, sys, or other, this is a finding.
Fix Text
As root, change the file group ownership. # chgrp root <audit_tool_filename>
Additional Identifiers
Rule ID: SV-26509r2_rule
Vulnerability ID: V-22371
Group Title: GEN002716
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001493 |
The information system protects audit tools from unauthorized access. |
Controls
Number | Title |
---|---|
AU-9 |
Protection Of Audit Information |