mediumauditverified ✓rollback-safe
Audit uses of the chacl command
audit-cmd-chacl · RHEL ≥ 8 · 1 impl
Description
All uses of the chacl command must be audited. The chacl command changes file access control lists (ACLs).
Rationale
Auditing chacl usage allows detection of ACL modifications that could grant unauthorized access to files.
Check → Remediate
Checkcommand
rule=$(auditctl -l 2>/dev/null | grep 'path=/usr/bin/chacl') if [ -z "$rule" ]; then echo "FAIL: no audit rule for /usr/bin/chacl" exit 1 fi if ! echo "$rule" | grep -q 'perm=x'; then echo "FAIL: audit rule for /usr/bin/chacl missing perm=x" exit 1 fi echo "OK: /usr/bin/chacl is audited"
- expected_exit:
- 0
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
- persist_file:
- /etc/audit/rules.d/50-perm_chng.rules
Framework references
CIS
rhel8 6.3.3.17rhel9 6.3.3.17rhel10 6.3.3.29
STIG
V-281119 / RHEL-10-500330V-258181 / RHEL-09-654035V-230464
NIST 800-53
AU-2AU-12
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#auditd#privileged#acl