Differences

This shows you the differences between two versions of the page.

Link to this comparison view

centos7:4:1:10 [2017/05/04 16:11] (current)
Piotr Kłoczewski created
Line 1: Line 1:
 +======4.1.10 Ensure discretionary access control permission modification events are collected (Scored)======
 +=====Profile Applicability=====  ​
 +<​code>​
 +Level 2 - Server
 +Level 2 - Workstation ​
 +</​code>​
  
 +=====Description=====
 +Monitor changes to file permissions,​ attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The ''​chmod'',​ ''​fchmod''​ and ''​fchmodat''​ system calls affect the permissions associated with a file. The ''​chown'',​ ''​fchown'',​ ''​fchownat''​ and ''​lchown''​ system calls affect owner and group attributes on a file. The ''​setxattr'',​ ''​lsetxattr'',​ ''​fsetxattr''​ (set extended file attributes) and ''​removexattr'',​ ''​lremovexattr'',​ ''​fremovexattr''​ (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier "​perm_mod."​
 +
 +=====Rationale=====
 +Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.
 +
 +=====Audit===== ​
 +On a 32 bit system run the following command and verify the output matches:
 +<​Code:​bash>​
 +# grep perm_mod /​etc/​audit/​audit.rules ​
 +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>​=1000 -F auid!=4294967295 -k perm_mod ​
 +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>​=1000 -F auid!=4294967295 -k perm_mod ​
 +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>​=1000 -F auid!=4294967295 -k perm_mod
 +</​Code>​
 +On a 64 bit system run the following command and verify the output matches:
 +<​Code:​bash>​
 +# grep perm_mod /​etc/​audit/​audit.rules ​
 +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>​=1000 -F auid!=4294967295 -k perm_mod ​
 +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>​=1000 -F auid!=4294967295 -k perm_mod ​
 +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>​=1000 -F auid!=4294967295 -k perm_mod
 +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>​=1000 -F auid!=4294967295 -k perm_mod ​
 +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>​=1000 -F auid!=4294967295 -k perm_mod ​
 +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>​=1000 -F auid!=4294967295 -k perm_mod
 +</​Code>​
 +
 +=====Remediation===== ​
 +For 32 bit systems add the following lines to the /​etc/​audit/​audit.rules file:
 +<​Code:​bash>​
 +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>​=1000 -F auid!=4294967295 -k perm_mod ​
 +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>​=1000 -F auid!=4294967295 -k perm_mod ​
 +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>​=1000 -F auid!=4294967295 -k perm_mod
 +</​Code>​
 +For 64 bit systems add the following lines to the /​etc/​audit/​audit.rules file:
 +<​Code:​bash>​
 +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>​=1000 -F auid!=4294967295 -k perm_mod ​
 +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>​=1000 -F auid!=4294967295 -k perm_mod ​
 +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>​=1000 -F auid!=4294967295 -k perm_mod ​
 +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>​=1000 -F auid!=4294967295 -k perm_mod ​
 +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>​=1000 -F auid!=4294967295 -k perm_mod ​
 +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>​=1000 -F auid!=4294967295 -k perm_mod
 +</​Code>​