4.1.6 Ensure events that modify the system's network environment are collected - auditctl '/etc/network'

Information

Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files.

Rationale:

Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier 'system-locale.'

Solution

For 32 bit systems add the following lines to the /etc/audit/audit.rules file:

-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale

For 64 bit systems add the following lines to the /etc/audit/audit.rules file:

-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale

Impact:

Auditing can produce a large amount of information, creating large and/or many audit log files.

Notes:

/etc/network is common Debian based distributions.

Red Hat and SUSE based distributions. You should expand or replace this coverage to any network configuration files on your system such as /etc/sysconfig/network.

Reloading the auditd config to set active settings may require a system reboot.

See Also

https://workbench.cisecurity.org/files/2619

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.5

Plugin: Unix

Control ID: 1c668c39205adee7c7007c414a609e331b61f429173bdd253013c7607add4157