6.6. Configure Audit_Control Owner to Mode 440 or Less Permissive Operation not permitted

[MatimusPrime]

I have been trying to work my way through these as a proof of concept but this one and a few after it that all ask to modify the

/etc/security/audit_control

all fail with Operation not permitted running as sudo
the file itself shows system as readonly and everyone as No Access.

Is this common or many due to another piece of security software we may have?

[MatimusPrime]

And in that last sentence as my brain was working I think I answered my own question. Revered a VM back to default and tried it and no issue there. So it must be something else we are applying that locks that file down.

[golbiga]

If you run ls -lO /etc/security/audit_control do you see the uchg flag?

[MatimusPrime]

ok well now 6.14 returns
sed: rename(): Operation not permitted
when running the following
/usr/bin/sed -i.bak 's/^expire-after.*/expire-after:60d OR 5G/' /etc/security/audit_control; /usr/sbin/audit -s

ls -lO /etc/security/audit_control returns
-r-------- 1 root wheel uchg 363 Mar 8 14:09 /etc/security/audit_control

[MatimusPrime]

This is what the script outputs on a freshly installed machine as well

[brodjieski]

It looks like your /etc/security/audit_control file has the uchg flag set. This is likely due to installing cmdReporter or Jamf Compliance Reporter. With this flag set, you cannot modify the file, even with sudo. You can run sudo chflags nouchg /etc/security/audit_control to remove this flag, which will allow the compliance script to run without issue. We have plans to include this command in the script to account for this in future releases.

[MatimusPrime]

Yup running Jamf Protect and changing that flag does the trick and now I know where it's coming from. Thanks!