Detections
Analytics
4.1.11 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr 64 bit
Information
Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 500) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'Rationale:
Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.
Solution
For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rulesExample: vi /etc/audit/rules.d/audit.rules
and add the following lines:
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
Notes:
Reloading the auditd config to set active settings may require a system reboot.
This Benchmark recommendation maps to:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide:
Version 2, Release: 3 Benchmark Date: 26 Apr 2019
Vul ID: V-72097
Rule ID: SV-86721r4_rule
STIG ID: RHEL-07-030370
Severity: CAT II
Vul ID: V-72099
Rule ID: SV-86723r4_rule
STIG ID: RHEL-07-030380
Severity: CAT II
Vul ID: V-72101
Rule ID: SV-86725r4_rule
STIG ID: RHEL-07-030390
Severity: CAT II
Vul ID: V-72103
Rule ID: SV-86727r4_rule
STIG ID: RHEL-07-030400
Severity: CAT II
Vul ID: V-72105
Rule ID: SV-86729r4_rule
STIG ID: RHEL-07-030410
Severity: CAT II
Vul ID: V-72107
Rule ID: SV-86731r4_rule
STIG ID: RHEL-07-030420
Severity: CAT II
Vul ID: V-72109
Rule ID: SV-86733r4_rule
STIG ID: RHEL-07-030430
Severity: CAT II
Vul ID: V-72111
Rule ID: SV-86735r4_rule
STIG ID: RHEL-07-030440
Severity: CAT II
Vul ID: V-72113
Rule ID: SV-86737r4_rule
STIG ID: RHEL-07-030450
Severity: CAT II
Vul ID: V-72115
Rule ID: SV-86739r4_rule
STIG ID: RHEL-07-030460
Severity: CAT II
Vul ID: V-72117
Rule ID: SV-86741r4_rule
STIG ID: RHEL-07-030470
Severity: CAT II
Vul ID: V-72119
Rule ID: SV-86743r4_rule
STIG ID: RHEL-07-030480
Severity: CAT II
Vul ID: V-72121
Rule ID: SV-86745r4_rule
STIG ID: RHEL-07-030490
Severity: CAT II
See Also
Item Details
Audit Name: CIS Amazon Linux 2 STIG v1.0.0 L2
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6, CSCv7|5.5
Plugin: Unix
Control ID: 694cdffdcd17b931eb53a401880568a094c0a158bd22bfea51c25f03585884d9