Blame SOURCES/scap-security-guide-0.1.41-audit_file_ownership.patch

28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chown.rule
28bffe
new file mode 100644
28bffe
index 0000000000..2d64245ec8
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chown.rule
28bffe
@@ -0,0 +1,38 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Unsuccessul Ownership Changes to Files - chown'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect unsuccessful file ownership change
28bffe
+    attempts for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file.
28bffe
+    
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    If the system is 64 bit then also add the following lines:
28bffe
+    
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+
28bffe
+
28bffe
+rationale: |-
28bffe
+    Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
28bffe
+    these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="chown") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the audit rule checks a
28bffe
+        system call independently of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchown.rule
28bffe
new file mode 100644
28bffe
index 0000000000..8835dd2d5f
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchown.rule
28bffe
@@ -0,0 +1,38 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Unsuccessul Ownership Changes to Files - fchown'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect unsuccessful file ownership change
28bffe
+    attempts for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file.
28bffe
+    
-a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    If the system is 64 bit then also add the following lines:
28bffe
+    
-a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+
28bffe
+
28bffe
+rationale: |-
28bffe
+    Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
28bffe
+    these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="fchown") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the audit rule checks a
28bffe
+        system call independently of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchownat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchownat.rule
28bffe
new file mode 100644
28bffe
index 0000000000..c40152d7b0
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchownat.rule
28bffe
@@ -0,0 +1,38 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Unsuccessul Ownership Changes to Files - fchownat'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect unsuccessful file ownership change
28bffe
+    attempts for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file.
28bffe
+    
-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    If the system is 64 bit then also add the following lines:
28bffe
+    
-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+
28bffe
+
28bffe
+rationale: |-
28bffe
+    Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
28bffe
+    these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="fchownat") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the audit rule checks a
28bffe
+        system call independently of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lchown.rule
28bffe
new file mode 100644
28bffe
index 0000000000..2293c4afdd
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lchown.rule
28bffe
@@ -0,0 +1,38 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Unsuccessul Ownership Changes to Files - lchown'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect unsuccessful file ownership change
28bffe
+    attempts for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file.
28bffe
+    
-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    If the system is 64 bit then also add the following lines:
28bffe
+    
-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+
28bffe
+
28bffe
+rationale: |-
28bffe
+    Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
28bffe
+    these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="lchown") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the audit rule checks a
28bffe
+        system call independently of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile
28bffe
index 6ca2b4b58f..5398114123 100644
28bffe
--- a/rhel7/profiles/ospp42-draft.profile
28bffe
+++ b/rhel7/profiles/ospp42-draft.profile
28bffe
@@ -110,9 +110,13 @@ selections:
28bffe
     - audit_rules_execution_setsebool
28bffe
     - audit_rules_mac_modification
28bffe
     - audit_rules_dac_modification_chown
28bffe
+    - audit_rules_unsuccessful_file_modification_chown
28bffe
     - audit_rules_dac_modification_fchownat
28bffe
+    - audit_rules_unsuccessful_file_modification_fchownat
28bffe
     - audit_rules_dac_modification_fchown
28bffe
+    - audit_rules_unsuccessful_file_modification_fchown
28bffe
     - audit_rules_dac_modification_lchown
28bffe
+    - audit_rules_unsuccessful_file_modification_lchown
28bffe
     - audit_rules_privileged_commands_passwd
28bffe
     - audit_rules_privileged_commands_unix_chkpwd
28bffe
     - audit_rules_privileged_commands_userhelper
28bffe
diff --git a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv
28bffe
index 632bd19a68..15cf44c0f4 100644
28bffe
--- a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv
28bffe
+++ b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv
28bffe
@@ -1,5 +1,9 @@
28bffe
 creat
28bffe
+chown
28bffe
+fchown
28bffe
+fchownat
28bffe
 ftruncate
28bffe
+lchown
28bffe
 open
28bffe
 openat
28bffe
 open_by_handle_at
28bffe
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/default.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/default.pass.sh
28bffe
new file mode 100644
28bffe
index 0000000000..4e1e71b717
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/default.pass.sh
28bffe
@@ -0,0 +1,8 @@
28bffe
+#!/bin/bash
28bffe
+
28bffe
+# profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe
+
28bffe
+echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules
28bffe
+echo "-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules
28bffe
+echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules
28bffe
+echo "-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules
28bffe
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/empty.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/empty.fail.sh
28bffe
new file mode 100644
28bffe
index 0000000000..d8e8e0b1dd
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/empty.fail.sh
28bffe
@@ -0,0 +1,6 @@
28bffe
+#!/bin/bash
28bffe
+
28bffe
+# profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe
+
28bffe
+rm -f /etc/audit/rules.d/*
28bffe
+> /etc/audit/audit.rules
28bffe
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/one_filter.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/one_filter.fail.sh
28bffe
new file mode 100644
28bffe
index 0000000000..e8691611dc
28bffe
--- /dev/null
28bffe
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/one_filter.fail.sh
28bffe
@@ -0,0 +1,8 @@
28bffe
+#!/bin/bash
28bffe
+
28bffe
+# profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe
+
28bffe
+echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules
28bffe
+echo "-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules
28bffe
+echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules
28bffe
+echo "-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules