Detections
Analytics

4.7.1.4 AUDIT subsystem: /audit and /etc/security/audit

Information

The /audit directory is the default location for output produced from the audit subsystem. The audit subsystem configuration files are in /etc/security/audit.

Rationale:

The /etc/security/audit and /audit directories stores the audit configuration and output files. Access controls must prevent unauthorized access.

Solution

Ensure correct ownership and permissions are in place for /etc/security/audit and /audit.

#!/usr/bin/ksh -e
# audit_subsys:4.8.1.4
# Provided to CIS by AIXTools
# Copyright AIXTools, 2022
for AUDITDIR in /etc/security/audit /audit; do
 find ${AUDITDIR} | grep -v 'lost+found' | xargs chown root:audit
 find ${AUDITDIR} -type d | grep -v 'lost+found' | xargs chmod u=rwx,g=rs,o=
 find ${AUDITDIR} ! -type d | grep -v 'lost+found' | xargs chmod -R u=rw,g=r,o=
done

Default Value:

N/A

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: Unix

Control ID: a55388fd6741cfe4a8f5c73a30eac7fbb310c5c3a9780e879cc4bf6476cd3fe5