SV-230760r599842_rule
V-230760
SRG-OS-000057-GPOS-00027
APPL-11-000030
CAT II
10
For any log file that contains ACLs, run the following command:
/usr/bin/sudo chmod -N [audit log file]
To check if a log file contains ACLs, run the following commands:
/usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') | /usr/bin/grep -v current
In the output from the above commands, ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity").
If any such line exists, this is a finding.
V-230760
False
APPL-11-000030
To check if a log file contains ACLs, run the following commands:
/usr/bin/sudo ls -le $(/usr/bin/sudo /usr/bin/grep '^dir' /etc/security/audit_control | awk -F: '{print $2}') | /usr/bin/grep -v current
In the output from the above commands, ACLs will be listed under any file that may contain them (e.g., "0: group:admin allow list,readattr,reaadextattr,readsecurity").
If any such line exists, this is a finding.
M
5246