1. Home
  2. Security Hardening
  3. CIS Ubuntu 12.04 LTS Benchmark L2 V1.1.0
  4. Record Events That Modify the System’s Network Environment- ‘/etc/issue’
Searching...

Record Events That Modify the System’s Network Environment- ‘/etc/issue’

Details

Record changes to network environment files or system calls. The below parameters

monitor the sethostname (set the systems host name) or setdomainname (set the systems

domainname) system calls, and write an audit event on system call exit. The other

parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-

login), /etc/hosts (file containing host names and associated IP addresses) and

/etc/network (directory containing network interface scripts and configurations) files.

*Rationale*

Monitoring sethostname and setdomainname will identify potential unauthorized changes to

host and domainname of a system. The changing of these names could potentially break

security parameters that are set based on those names. The /etc/hosts file is monitored for

changes in the file that can indicate an unauthorized intruder is trying to change machine

associations with IP addresses and trick users and processes into connecting to unintended

machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put

disinformation into those files and trick users into providing information to the intruder.

Monitoring /etc/network is important as it can show if network interfaces or scripts are

being modified in a way that can lead to the machine becoming unavailable or

compromised. All audit records will be tagged with the identifier ‘system-locale.’

Solution

For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale
# Execute the following command to restart auditd
# pkill -P 1-HUP auditdFor 32 bit systems, add the following lines to the /etc/audit/audit.rules file.

-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale
# Execute the following command to restart auditd
# pkill -P 1-HUP auditd

Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.

References

Source

Updated on July 16, 2022
Was this article helpful?
Yes No

Related Articles