Title

The /etc/security/audit_user file must not have an extended ACL. (Cat II impact)

Discussion

Audit_user is a sensitive file that, if compromised, would allow a malicious user to select auditing parameters to ignore their sessions. This would allow malicious operations the auditing subsystem would not detect for that user. It could also result in long-term system compromise possibly leading to the compromise of other systems and networks.

Check Content

Check the permissions of the file. # ls -lL /etc/security/audit_user If the permissions of the file contain a "+", an extended ACL is present, this is a finding.

Fix Text

Remove the extended ACL from the file. # chmod A- /etc/security/audit_user

Additional Identifiers

Rule ID: SV-226410r603265_rule

Vulnerability ID: V-226410

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.