Check: GEN002718 M6
MACOSX 10.6:
GEN002718 M6
(in version v1 r3)
Title
System audit tool executables must not have extended ACLs. (Cat III impact)
Discussion
To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected.
Check Content
Open a terminal session and enter the following command to view the ACLs of the audit tool. ls -lL /usr/sbin/audit /usr/sbin/auditd /usr/sbin/auditreduce /usr/sbin/praudit If the permissions include a '+', the file has an extended ACL, this is a finding.
Fix Text
Open a terminal session and use the following command to remove the extended ACLs. chmod -N <audit file with extended ACL>
Additional Identifiers
Rule ID: SV-38103r1_rule
Vulnerability ID: V-22373
Group Title:
Expert Comments
Expert comments are only available to logged-in users.
CCIs
CCIs tied to check.
| Number | Definition |
|---|---|
| CCI-001493 |
The information system protects audit tools from unauthorized access. |
Controls
Controls tied to check. These are derived from the CCIs shown above.
| Number | Title |
|---|---|
| AU-9 |
Protection Of Audit Information |