documentation_complete: true
title: 'Configure AIDE to Verify Access Control Lists (ACLs)'
description: |-
By default, the acl option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the acl option is missing, add acl
to the appropriate ruleset.
For example, add acl to the following line in {{{ aide_conf_path }}}:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.
{{% if "debian" in product %}}
The remediation provided with this rule adds acl to the OwnerMode rule
in {{{ aide_conf_path }}}
{{% else %}}
The remediation provided with this rule adds acl to all rule sets available in
{{{ aide_conf_path }}}
{{% endif %}}
rationale: |-
ACLs can provide permissions beyond those permitted through the file mode and must be
verified by the file integrity tools.
severity: low
identifiers:
cce@rhel8: CCE-84220-3
cce@rhel9: CCE-90837-6
cce@rhel10: CCE-89640-7
cce@sle12: CCE-83150-3
cce@sle15: CCE-85623-7
cce@slmicro5: CCE-93742-5
cce@slmicro6: CCE-95052-7
references:
cis-csc: 2,3
cobit5: APO01.06,BAI03.05,BAI06.01,DSS06.02
isa-62443-2009: 4.3.4.4.4
isa-62443-2013: 'SR 3.1,SR 3.3,SR 3.4,SR 3.8'
iso27001-2013: A.11.2.4,A.12.2.1,A.12.5.1,A.14.1.2,A.14.1.3,A.14.2.4
nist: SI-7,SI-7(1),CM-6(a)
nist-csf: PR.DS-6,PR.DS-8
srg: SRG-OS-000480-GPOS-00227
stigid@ol7: OL07-00-021600
stigid@ol8: OL08-00-040310
stigid@sle12: SLES-12-010520
stigid@sle15: SLES-15-040040
ocil_clause: 'the acl option is missing or not added to the correct ruleset'
ocil: |-
To determine that AIDE is verifying ACLs, run the following command:
$ grep acl {{{ aide_conf_path }}}
Verify that the acl option is added to the correct ruleset.
fixtext: |-
Configure the file integrity tool to check file and directory ACLs.
If AIDE is installed, ensure the "acl" rule is present on all file and directory selection lists.
srg_requirement: 'The {{{ full_name }}} file integrity tool must be configured to verify Access Control Lists (ACLs).'