← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the setfacl command

audit-cmd-setfacl · RHEL ≥ 8 · 1 impl

Description

All uses of the setfacl command must be audited. The setfacl command sets file access control lists which control permissions.

Rationale

Auditing setfacl usage allows detection of ACL modifications that could grant unauthorized access to sensitive files.

Check → Remediate

Checkcommand
rule=$(auditctl -l 2>/dev/null | grep 'path=/usr/bin/setfacl')
if [ -z "$rule" ]; then
  echo "FAIL: no audit rule for /usr/bin/setfacl"
  exit 1
fi
if ! echo "$rule" | grep -q 'perm=x'; then
  echo "FAIL: audit rule for /usr/bin/setfacl missing perm=x"
  exit 1
fi
echo "OK: /usr/bin/setfacl is audited"
expected_exit:
0
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
persist_file:
/etc/audit/rules.d/50-perm_chng.rules

Framework references

CIS

rhel8 6.3.3.16rhel9 6.3.3.16rhel10 6.3.3.28

STIG

V-281120 / RHEL-10-500340V-258182 / RHEL-09-654040V-230435

NIST 800-53

AU-2AU-12

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#auditd#privileged#acl