Profile Applicability:
• Level 2
Description:
The setfacl command is used to set Access Control Lists (ACLs) on files and directories, controlling fine-grained permissions. Recording both successful and unsuccessful attempts to use setfacl helps detect unauthorized changes to file permissions.
Rationale:
Auditing all setfacl command usage provides visibility into permission changes, supporting security monitoring and preventing misuse.
Impact:
Pros:
Enables detection of unauthorized ACL modifications.
Helps maintain integrity of file permission configurations.
Cons:
May increase audit log size; requires proper log management.
Default Value:
Audit of setfacl command usage is often not enabled by default.
Pre-requisites:
Root or sudo privileges to configure audit rules.
Remediation:
Test Plan:
Using Linux command line:
Check current audit rules for setfacl:
auditctl -l | grep setfacl
Verify audit rules exist for tracking executions of setfacl.
Implementation Plan:
Using Linux command line:
Add audit rules to log both successful and unsuccessful executions of setfacl:
auditctl -w /usr/bin/setfacl -p x -k setfacl-change
Persist audit rules by adding the above line to /etc/audit/rules.d/audit.rules.
Backout Plan:
Using Linux command line:
Remove or disable the setfacl audit rule if needed:
auditctl -W /usr/bin/setfacl -p x -k setfacl-change
Reload audit daemon configuration.
References:
CIS Amazon Linux 2 Benchmark v3.0.0