Check: GEN002710
HP-UX 11.31 STIG:
GEN002710
(in versions v1 r19 through v1 r13)
Title
All system audit files must not have extended ACLs. (Cat II impact)
Discussion
If a user can write to the audit logs, then audit trails can be modified or destroyed and system intrusion may not be detected.
Check Content
Inspect the auditing configuration file, /etc/rc.config.d/auditing, to determine the filename and path of the audit logs. The entries should appear similar to the following: PRI_AUDFILE=/var/.audit/file1 SEC_AUDFILE=/var/.audit/file2 # egrep “PRI_AUDFILE|SEC_AUDFILE” /etc/rc.config.d/auditing For each audit log directory/file, check the permissions. # ls -lLd <audit directory> # ls -lLa <audit file> If any audit log directory/file permissions include a “+”, this is a finding.
Fix Text
As root, remove the ACL. # chacl -z <audit directory> # chacl -z <audit file>
Additional Identifiers
Rule ID: SV-38355r2_rule
Vulnerability ID: V-22369
Group Title: GEN002710
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000163 |
The information system protects audit information from unauthorized modification. |
Controls
Number | Title |
---|---|
AU-9 |
Protection Of Audit Information |