6.3.3.5 Ensure events that modify the system's network environment are collected

Information

Record changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit:

- sethostname - set the systems host name
- setdomainname - set the systems domain name

The files being monitored are:

- /etc/issue and /etc/issue.net - messages displayed pre-login
- /etc/hosts - file containing host names and associated IP addresses
- /etc/networks - symbolic names for networks
- /etc/network/ - directory containing network interface scripts and configurations files
- /etc/netplan/ - central location for YAML networking configurations files

Monitoring system events that change network environments, such as sethostname and setdomainname helps identify unauthorized alterations to host and domain names, which could compromise security settings reliant on these names. Changes to /etc/hosts can signal unauthorized attempts to alter machine associations with IP addresses, potentially redirecting users and processes to unintended destinations. Surveillance of /etc/issue and /etc/issue.net is crucial to detect intruders inserting false information to deceive users. Monitoring /etc/network/ reveals modifications to network interfaces or scripts that may jeopardize system availability or security. Additionally, tracking changes in the /etc/netplan/ directory ensures swift detection of unauthorized adjustments to network configurations. All audit records should be appropriately tagged for relevance

Solution

Create audit rules

Edit or create a file in the /etc/audit/rules.d/ directory, ending inrules extension, with the relevant rules to monitor events that modify the system's network environment.

Example:

# printf "
-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/networks -p wa -k system-locale
-w /etc/network/ -p wa -k system-locale
-w /etc/netplan/ -p wa -k system-locale
" >> /etc/audit/rules.d/50-system_locale.rules

Load audit rules

Merge and load the rules into active configuration:

# augenrules --load

Check if reboot is required.

# if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules
"; fi

See Also

https://workbench.cisecurity.org/benchmarks/17074