Detections
Analytics

4.1.11 Ensure discretionary access control permission modification events are collected - b32 setxattr

Information

Monitor changes to file permissions, attributes, ownership and group. The parameters in
this section track changes for system calls that affect file permissions and attributes. The
chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The
chown , fchown , fchownat and lchown system calls affect owner and group attributes on a
file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr ,
lremovexattr , fremovexattr (remove extended file attributes) control extended file
attributes. In all cases, an audit record will only be written for non-system user ids (auid >=
500) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged
with the identifier "perm_mod."

Rationale:

Monitoring for changes in file attributes could alert a system administrator to activity that
could indicate intruder activity or policy violation.

Solution

For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in
.rules
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:

-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F
auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295
-k perm_mod

For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in
.rules
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:

-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F
auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F
auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F
auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295
-k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295
-k perm_mod

Notes:

Reloading the auditd config to set active settings may require a system reboot.

See Also

https://workbench.cisecurity.org/files/2420

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|3.6, CSCv7|5.5

Plugin: Unix

Control ID: 72e6bb816d0655044c688a9f545b4c6a5a460e746a0aeced8863d0f81fecb596