mediumauditverified ✓rollback-safe
Audit uses of the setfacl command
audit-cmd-setfacl · RHEL ≥ 8 · 1 impl
Description
All uses of the setfacl command must be audited. The setfacl command sets file access control lists which control permissions.
Rationale
Auditing setfacl usage allows detection of ACL modifications that could grant unauthorized access to sensitive files.
Check → Remediate
Checkcommand
rule=$(auditctl -l 2>/dev/null | grep 'path=/usr/bin/setfacl') if [ -z "$rule" ]; then echo "FAIL: no audit rule for /usr/bin/setfacl" exit 1 fi if ! echo "$rule" | grep -q 'perm=x'; then echo "FAIL: audit rule for /usr/bin/setfacl missing perm=x" exit 1 fi echo "OK: /usr/bin/setfacl is audited"
- expected_exit:
- 0
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
- persist_file:
- /etc/audit/rules.d/50-perm_chng.rules
Framework references
CIS
rhel8 6.3.3.16rhel9 6.3.3.16rhel10 6.3.3.28
STIG
V-281120 / RHEL-10-500340V-258182 / RHEL-09-654040V-230435
NIST 800-53
AU-2AU-12
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#auditd#privileged#acl