Differences

This shows you the differences between two versions of the page.

Link to this comparison view

centos7:4:1:6 [2017/05/04 16:02] (current)
Line 1: Line 1:
 +======4.1.6 Ensure events that modify the system'​s network environment are collected (Scored)======
 +=====Profile Applicability=====  ​
 +<​code>​
 +Level 2 - Server
 +Level 2 - Workstation ​
 +</​code>​
 +
 +=====Description=====
 +Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the ''/​etc/​issue''​ and ''/​etc/​issue.net''​ files (messages displayed pre-login), ''/​etc/​hosts''​ (file containing host names and associated IP addresses) and ''/​etc/​sysconfig/​network''​ (directory containing network interface scripts and configurations) files.
 +
 +=====Rationale=====
 +Monitoring ''​sethostname''​ and ''​setdomainname''​ will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring ''/​etc/​issue''​ and ''/​etc/​issue.net''​ is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring ''/​etc/​sysconfig/​network''​ is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "​system-locale."​
 +
 +=====Audit===== ​
 +On a 32 bit system run the following command and verify the output matches:
 +<​Code:​bash>​
 +# grep system-locale /​etc/​audit/​audit.rules ​
 +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale ​
 +-w /etc/issue -p wa -k system-locale ​
 +-w /​etc/​issue.net -p wa -k system-locale ​
 +-w /etc/hosts -p wa -k system-locale ​
 +-w /​etc/​sysconfig/​network -p wa -k system-locale
 +</​Code>​
 +
 +On a 64 bit system run the following command and verify the output matches:
 +<​Code:​bash>​
 +# grep system-locale /​etc/​audit/​audit.rules ​
 +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale ​
 +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale ​
 +-w /etc/issue -p wa -k system-locale ​
 +-w /​etc/​issue.net -p wa -k system-locale ​
 +-w /etc/hosts -p wa -k system-locale ​
 +-w /​etc/​sysconfig/​network -p wa -k system-locale
 +</​Code>​
 +=====Remediation===== ​
 +For 32 bit systems add the following lines to the /​etc/​audit/​audit.rules file:
 +<​Code:​bash>​
 +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale ​
 +-w /etc/issue -p wa -k system-locale ​
 +-w /​etc/​issue.net -p wa -k system-locale ​
 +-w /etc/hosts -p wa -k system-locale ​
 +-w /​etc/​sysconfig/​network -p wa -k system-locale
 +</​Code>​
 +For 64 bit systems add the following lines to the /​etc/​audit/​audit.rules file:
 +<​Code:​bash>​
 +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale ​
 +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale ​
 +-w /etc/issue -p wa -k system-locale ​
 +-w /​etc/​issue.net -p wa -k system-locale ​
 +-w /etc/hosts -p wa -k system-locale ​
 +-w /​etc/​sysconfig/​network -p wa -k system-locale
 +</​Code>​