Profile Applicability:
 • Level 2

Description:
 The setfacl command is used to set Access Control Lists (ACLs) on files and directories, controlling fine-grained permissions. Recording both successful and unsuccessful attempts to use setfacl helps detect unauthorized changes to file permissions.

Rationale:
 Auditing all setfacl command usage provides visibility into permission changes, supporting security monitoring and preventing misuse.

Impact:
 Pros:

  • Enables detection of unauthorized ACL modifications.

  • Helps maintain integrity of file permission configurations.

Cons:

  • May increase audit log size; requires proper log management.

Default Value:
 Audit of setfacl command usage is often not enabled by default.

Pre-requisites:

  • Root or sudo privileges to configure audit rules.

Remediation:

Test Plan:

Using Linux command line:

Check current audit rules for setfacl:

auditctl -l | grep setfacl

  1. Verify audit rules exist for tracking executions of setfacl.

Implementation Plan:

Using Linux command line:

Add audit rules to log both successful and unsuccessful executions of setfacl:

auditctl -w /usr/bin/setfacl -p x -k setfacl-change
  1. Persist audit rules by adding the above line to /etc/audit/rules.d/audit.rules.

Backout Plan:

Using Linux command line:

Remove or disable the setfacl audit rule if needed:

auditctl -W /usr/bin/setfacl -p x -k setfacl-change
  1. Reload audit daemon configuration.

References: