Detections
Analytics

4.1.3.12 Ensure discretionary access control permission modification events are collected - fchownat 4 bit

Information

Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >=1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier 'perm_mod.'

Note: Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:

# awk '/^s*UID_MIN/{print $2}' /etc/login.defs

If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures.

Reloading the auditd config to set active settings may require a system reboot.

Rationale:

Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.

Solution

For 32 bit systems edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/50-perm_mod.rules
Add the following lines:

-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod

For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/50-perm_mod.rules
Add the following lines:

-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2d., 800-53|AU-12c., CCI|CCI-000126, CCI|CCI-000172, CSCv7|5.5, Rule-ID|SV-204517r603261_rule, Rule-ID|SV-204518r603261_rule, Rule-ID|SV-204519r603261_rule, Rule-ID|SV-204520r603261_rule, Rule-ID|SV-204521r603261_rule, Rule-ID|SV-204522r603261_rule, Rule-ID|SV-204523r603261_rule, Rule-ID|SV-204524r603261_rule, Rule-ID|SV-204525r603261_rule, Rule-ID|SV-204526r603261_rule, Rule-ID|SV-204527r603261_rule, Rule-ID|SV-204528r603261_rule, Rule-ID|SV-204529r603261_rule, STIG-ID|RHEL-07-030400

Plugin: Unix

Control ID: 084e434f6d58034638e3ec4e31e372b57937eda8aeddc13737d90b001f40b715