An error occurred:

Check: OL08-00-030570

Oracle Linux 8 STIG: OL08-00-030570 (in versions v2 r4 through v1 r1)

Title

OL 8 must generate audit records for any use of the "chacl" command. (Cat II impact)

Discussion

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chacl" command is used to change the access control list of a file or directory. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215

Check Content

Verify OL 8 generates an audit record for any use of the "chacl" command by running the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w chacl /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng If the command does not return a line or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.

Fix Text

Configure the audit system to generate an audit event for any use of the "chacl" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Additional Identifiers

Rule ID: SV-248799r958412_rule

Vulnerability ID: V-248799

Group Title: SRG-OS-000037-GPOS-00015

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000130

Ensure that audit records contain information that establishes what type of event occurred.
CCI-000135

Generate audit records containing the organization-defined additional information that is to be included in the audit records.
CCI-000169

Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a on organization-defined information system components.
CCI-000172

Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
CCI-002884

Log organization-defined audit events for nonlocal maintenance and diagnostic sessions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-3

Content of Audit Records
AU-3(1)

Additional Audit Information
AU-12

Audit Generation
MA-4(1)

Auditing and Review