iCompaas Support

Profile Applicability:
 • Level 2

Description:
 The chacl command modifies Access Control Lists (ACLs) on files and directories, controlling permissions. Recording both successful and unsuccessful attempts to use chacl is essential to detect unauthorized changes and maintain file permission integrity.

Rationale:
 Auditing all executions of the chacl command helps monitor changes to ACLs, supporting security compliance and preventing misuse.

Impact:
 Pros:

• Provides comprehensive tracking of ACL modifications.
  

• Enhances detection of unauthorized permission changes.
  

Cons:

• May increase audit log volume; requires appropriate log management.
  

Default Value:
 Audit of chacl command usage is typically not enabled by default.

Pre-requisites:

• Root or sudo privileges to configure audit rules.
  

Remediation:

Test Plan:

Using Linux command line:

Check current audit rules for chacl:

auditctl -l | grep chacl

1. Verify audit rules exist for monitoring chacl executions.
   

Implementation Plan:

Using Linux command line:

Add audit rule to monitor executions of chacl:

auditctl -w /usr/bin/chacl -p x -k chacl-change

1. Persist audit rule by adding it to /etc/audit/rules.d/audit.rules.
   

Backout Plan:

Using Linux command line:

Remove or disable the chacl audit rule if necessary:

auditctl -W /usr/bin/chacl -p x -k chacl-change

1. Reload audit daemon configuration.
   

References:

• CIS Amazon Linux 2 Benchmark v3.0.0
  

• Linux Audit Framework
  

• NIST SP 800-53 Revision 5 - AU-6