8.1.10 Collect Discretionary Access Control Permission Modification Events- '64bit setxattr'

Information

Monitor changes to file permissions, attributes, ownership and group. The parameters in
this section track changes for system calls that affect file permissions and attributes. The
chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The
chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file.
The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr,
lremovexattr, fremovexattr (remove extended file attributes) control extended file
attributes. In all cases, an audit record will only be written for non-system userids (auid >=
500) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged
with the identifier 'perm_mod.'

*Rationale*

Monitoring for changes in file attributes could alert a system administrator to activity that
could indicate intruder activity or policy violation.

Solution

For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

# Execute the following command to restart auditd
# pkill -HUP -P 1 auditd

For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

# Execute the following command to restart auditd
# pkill -HUP -P 1 auditd

See Also

https://workbench.cisecurity.org/files/91

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: d6c55621418783448e75435d699bcb95f4e81fd23c6bd814974acabb7c0c4b66