Rule ID
SV-261419r996668_rule
Version
V1R4
Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information. SLEM 5 providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open-source audit tools needed to view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
To protect from unauthorized access verify that SLEM 5 audit tools have the proper permissions configured in the permissions profile by using the following command:
> grep "^/usr/sbin/au" /etc/permissions.local
/usr/sbin/audispd root:root 750
/usr/sbin/auditctl root:root 750
/usr/sbin/auditd root:root 750
/usr/sbin/ausearch root:root 755
/usr/sbin/aureport root:root 755
/usr/sbin/autrace root:root 750
/usr/sbin/augenrules root:root 750
If the command does not return any output, this is a finding.Configure SLEM 5 audit tools to have proper permissions set in the permissions profile. Add or modify the following lines in the "/etc/permissions.local" file: /usr/sbin/audispd root:root 750 /usr/sbin/auditctl root:root 750 /usr/sbin/auditd root:root 750 /usr/sbin/ausearch root:root 755 /usr/sbin/aureport root:root 755 /usr/sbin/autrace root:root 750 /usr/sbin/augenrules root:root 750