An error occurred:

Check: GEN002710

HP-UX 11.31 STIG: GEN002710 (in versions v1 r19 through v1 r13)

Title

All system audit files must not have extended ACLs. (Cat II impact)

Discussion

If a user can write to the audit logs, then audit trails can be modified or destroyed and system intrusion may not be detected.

Check Content

Inspect the auditing configuration file, /etc/rc.config.d/auditing, to determine the filename and path of the audit logs. The entries should appear similar to the following: PRI_AUDFILE=/var/.audit/file1 SEC_AUDFILE=/var/.audit/file2 # egrep “PRI_AUDFILE|SEC_AUDFILE” /etc/rc.config.d/auditing For each audit log directory/file, check the permissions. # ls -lLd <audit directory> # ls -lLa <audit file> If any audit log directory/file permissions include a “+”, this is a finding.

Fix Text

As root, remove the ACL. # chacl -z <audit directory> # chacl -z <audit file>

Additional Identifiers

Rule ID: SV-38355r2_rule

Vulnerability ID: V-22369

Group Title: GEN002710

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000163

The information system protects audit information from unauthorized modification.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-9

Protection Of Audit Information