1. Home
  2. Security Hardening
  3. CIS Ubuntu 12.04 LTS Benchmark L2 V1.1.0
  4. Collect Discretionary Access Control Permission Modification Events- ’64bit chown/fchown/fchownat/lchown’
Searching...

Collect Discretionary Access Control Permission Modification Events- ’64bit chown/fchown/fchownat/lchown’

Details

Monitor changes to file permissions, attributes, ownership and group. The parameters in

this section track changes for system calls that affect file permissions and attributes. The

chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The

chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file.

The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr,

lremovexattr, fremovexattr (remove extended file attributes) control extended file

attributes. In all cases, an audit record will only be written for non-system userids (auid >=

500) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged

with the identifier ‘perm_mod.’

*Rationale*

Monitoring for changes in file attributes could alert a system administrator to activity that

could indicate intruder activity or policy violation.

Solution

For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

# Execute the following command to restart auditd
# pkill -HUP -P 1 auditd

For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

# Execute the following command to restart auditd
# pkill -HUP -P 1 auditd

Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.

References

Source

Updated on July 16, 2022
Was this article helpful?
Yes No

Related Articles