4.1.11 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat 64 bit

Information

Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 500) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'

Rationale:

Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.

Solution

For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:

-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:

-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

Notes:

Reloading the auditd config to set active settings may require a system reboot.

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-72097

Rule ID: SV-86721r4_rule

STIG ID: RHEL-07-030370

Severity: CAT II



Vul ID: V-72099

Rule ID: SV-86723r4_rule

STIG ID: RHEL-07-030380

Severity: CAT II



Vul ID: V-72101

Rule ID: SV-86725r4_rule

STIG ID: RHEL-07-030390

Severity: CAT II



Vul ID: V-72103

Rule ID: SV-86727r4_rule

STIG ID: RHEL-07-030400

Severity: CAT II



Vul ID: V-72105

Rule ID: SV-86729r4_rule

STIG ID: RHEL-07-030410

Severity: CAT II



Vul ID: V-72107

Rule ID: SV-86731r4_rule

STIG ID: RHEL-07-030420

Severity: CAT II



Vul ID: V-72109

Rule ID: SV-86733r4_rule

STIG ID: RHEL-07-030430

Severity: CAT II



Vul ID: V-72111

Rule ID: SV-86735r4_rule

STIG ID: RHEL-07-030440

Severity: CAT II



Vul ID: V-72113

Rule ID: SV-86737r4_rule

STIG ID: RHEL-07-030450

Severity: CAT II



Vul ID: V-72115

Rule ID: SV-86739r4_rule

STIG ID: RHEL-07-030460

Severity: CAT II



Vul ID: V-72117

Rule ID: SV-86741r4_rule

STIG ID: RHEL-07-030470

Severity: CAT II



Vul ID: V-72119

Rule ID: SV-86743r4_rule

STIG ID: RHEL-07-030480

Severity: CAT II



Vul ID: V-72121

Rule ID: SV-86745r4_rule

STIG ID: RHEL-07-030490

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.5

Plugin: Unix

Control ID: 694cdffdcd17b931eb53a401880568a094c0a158bd22bfea51c25f03585884d9