← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the chacl command

audit-cmd-chacl · RHEL ≥ 8 · 1 impl

Description

All uses of the chacl command must be audited. The chacl command changes file access control lists (ACLs).

Rationale

Auditing chacl usage allows detection of ACL modifications that could grant unauthorized access to files.

Check → Remediate

Checkcommand
rule=$(auditctl -l 2>/dev/null | grep 'path=/usr/bin/chacl')
if [ -z "$rule" ]; then
  echo "FAIL: no audit rule for /usr/bin/chacl"
  exit 1
fi
if ! echo "$rule" | grep -q 'perm=x'; then
  echo "FAIL: audit rule for /usr/bin/chacl missing perm=x"
  exit 1
fi
echo "OK: /usr/bin/chacl is audited"
expected_exit:
0
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
persist_file:
/etc/audit/rules.d/50-perm_chng.rules

Framework references

CIS

rhel8 6.3.3.17rhel9 6.3.3.17rhel10 6.3.3.29

STIG

V-281119 / RHEL-10-500330V-258181 / RHEL-09-654035V-230464

NIST 800-53

AU-2AU-12

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#auditd#privileged#acl