GEN000000-SOL00110 - The /etc/security/audit_user file must not have an extended ACL.


Audit_user is a sensitive file that, if compromised, would allow a malicious user to select auditing parameters to ignore their sessions. This would allow malicious operations the auditing subsystem would not detect for that user. It could also result in long-term system compromise possibly leading to the compromise of other systems and networks.


Remove the extended ACL from the file.
# chmod A- /etc/security/audit_user

Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.