Title

SLEM 5 audit tools must have the proper permissions configured to protect against unauthorized access. (Cat II impact)

Discussion

Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information. SLEM 5 providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open-source audit tools needed to view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Check Content

To protect from unauthorized access verify that SLEM 5 audit tools have the proper permissions configured in the permissions profile by using the following command: > grep "^/usr/sbin/au" /etc/permissions.local /usr/sbin/audispd root:root 750 /usr/sbin/auditctl root:root 750 /usr/sbin/auditd root:root 750 /usr/sbin/ausearch root:root 755 /usr/sbin/aureport root:root 755 /usr/sbin/autrace root:root 750 /usr/sbin/augenrules root:root 750 If the command does not return any output, this is a finding.

Fix Text

Configure SLEM 5 audit tools to have proper permissions set in the permissions profile. Add or modify the following lines in the "/etc/permissions.local" file: /usr/sbin/audispd root:root 750 /usr/sbin/auditctl root:root 750 /usr/sbin/auditd root:root 750 /usr/sbin/ausearch root:root 755 /usr/sbin/aureport root:root 755 /usr/sbin/autrace root:root 750 /usr/sbin/augenrules root:root 750

Additional Identifiers

Rule ID: SV-261419r996668_rule

Vulnerability ID: V-261419

Group Title: SRG-OS-000256-GPOS-00097

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.