Check: GEN002710 M6
MACOSX 10.6:
GEN002710 M6
(in version v1 r3)
Title
All system audit files must not have extended ACLs. (Cat II impact)
Discussion
If a user can write to the audit logs, then audit trails can be modified or destroyed and system intrusion may not be detected.
Check Content
Open a terminal session and enter the following command to view the ACLs of the audit files. ls -Ll /var/audit If the permissions include a '+', the file has an extended ACL, this is a finding.
Fix Text
Open a terminal session and enter the following command to remove the extended ACLs. chmod -N </var/audit/ file with extended ACL>
Additional Identifiers
Rule ID: SV-38102r1_rule
Vulnerability ID: V-22369
Group Title:
Expert Comments
Expert comments are only available to logged-in users.
CCIs
CCIs tied to check.
| Number | Definition |
|---|---|
| CCI-000163 |
The information system protects audit information from unauthorized modification. |
Controls
Controls tied to check. These are derived from the CCIs shown above.
| Number | Title |
|---|---|
| AU-9 |
Protection Of Audit Information |