Title

System audit tool executables must be owned by root. (Cat III impact)

Discussion

To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected.

Check Content

Verify the audit tools are owned by root or bin (bin is the default owner). The list of files should minimally include the following: audevent - Change/display event/system call status. audfilter - Load/clear/display the audit filtering policy. auditdp - Selectively read/write and convert/format the audit data. audisp - Display audit records. audomon - Audit file monitoring and size parameter setpoints. audsys - Start/stop auditing; set/display the audit file or directory information. userdbset - Select user to be audited. # ls -lL /usr/sbin/aud* /usr/sbin/userdb* If any system audit tool is not owned by root or bin, this is a finding.

Fix Text

As root, change the file ownership. # chown root <audit_tool_filename>

Additional Identifiers

Rule ID: SV-26506r2_rule

Vulnerability ID: V-22370

Group Title: GEN002715

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.