GEN002718 - System audit tool executables must not have extended ACLs - '/sbin/audispd'

Information

To prevent unauthorized access or manipulation of system audit logs, the tools for manipulating those logs must be protected.

Solution

Remove the extended ACL from the file.
# setfacl --remove-all [audit file]

See Also

http://iasecontent.disa.mil/stigs/zip/U_RedHat_5_V1R18_STIG.zip

Item Details

Audit Name: DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9, CAT|III, CCI|CCI-001493, Group-ID|V-22373, Rule-ID|SV-26513r1_rule, STIG-ID|GEN002718, Vuln-ID|V-22373

Plugin: Unix

Control ID: 8f6c3ec376888e1c24cf8656b0790e5d9c9eaf63c46dcfe98fe73819d35674f5