|
 |
7629ac |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chown.rule
|
|
|
7629ac |
new file mode 100644
|
|
|
7629ac |
index 0000000000..2d64245ec8
|
|
|
7629ac |
--- /dev/null
|
|
|
7629ac |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chown.rule
|
|
|
7629ac |
@@ -0,0 +1,38 @@
|
|
|
7629ac |
+documentation_complete: true
|
|
|
7629ac |
+
|
|
|
7629ac |
+prodtype: rhel7,fedora
|
|
|
7629ac |
+
|
|
|
7629ac |
+title: 'Record Unsuccessul Ownership Changes to Files - chown'
|
|
|
7629ac |
+
|
|
|
7629ac |
+description: |-
|
|
|
7629ac |
+ The audit system should collect unsuccessful file ownership change
|
|
|
7629ac |
+ attempts for all users and root.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
7629ac |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
7629ac |
+ startup (the default), add the following lines to a file with suffix
|
|
|
7629ac |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
7629ac |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
7629ac |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ If the system is 64 bit then also add the following lines:
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+
|
|
|
7629ac |
+
|
|
|
7629ac |
+rationale: |-
|
|
|
7629ac |
+ Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
|
|
|
7629ac |
+ these events could serve as evidence of potential system compromise.
|
|
|
7629ac |
+
|
|
|
7629ac |
+severity: medium
|
|
|
7629ac |
+
|
|
|
7629ac |
+{{{ complete_ocil_entry_audit_syscall(syscall="chown") }}}
|
|
|
7629ac |
+
|
|
|
7629ac |
+warnings:
|
|
|
7629ac |
+ - general: |-
|
|
|
7629ac |
+ Note that these rules can be configured in a
|
|
|
7629ac |
+ number of ways while still achieving the desired effect. Here the audit rule checks a
|
|
|
7629ac |
+ system call independently of other system calls. Grouping system calls related
|
|
|
7629ac |
+ to the same event is more efficient. See the following example:
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchown.rule
|
|
|
7629ac |
new file mode 100644
|
|
|
7629ac |
index 0000000000..8835dd2d5f
|
|
|
7629ac |
--- /dev/null
|
|
|
7629ac |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchown.rule
|
|
|
7629ac |
@@ -0,0 +1,38 @@
|
|
|
7629ac |
+documentation_complete: true
|
|
|
7629ac |
+
|
|
|
7629ac |
+prodtype: rhel7,fedora
|
|
|
7629ac |
+
|
|
|
7629ac |
+title: 'Record Unsuccessul Ownership Changes to Files - fchown'
|
|
|
7629ac |
+
|
|
|
7629ac |
+description: |-
|
|
|
7629ac |
+ The audit system should collect unsuccessful file ownership change
|
|
|
7629ac |
+ attempts for all users and root.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
7629ac |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
7629ac |
+ startup (the default), add the following lines to a file with suffix
|
|
|
7629ac |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
7629ac |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
7629ac |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ If the system is 64 bit then also add the following lines:
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+
|
|
|
7629ac |
+
|
|
|
7629ac |
+rationale: |-
|
|
|
7629ac |
+ Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
|
|
|
7629ac |
+ these events could serve as evidence of potential system compromise.
|
|
|
7629ac |
+
|
|
|
7629ac |
+severity: medium
|
|
|
7629ac |
+
|
|
|
7629ac |
+{{{ complete_ocil_entry_audit_syscall(syscall="fchown") }}}
|
|
|
7629ac |
+
|
|
|
7629ac |
+warnings:
|
|
|
7629ac |
+ - general: |-
|
|
|
7629ac |
+ Note that these rules can be configured in a
|
|
|
7629ac |
+ number of ways while still achieving the desired effect. Here the audit rule checks a
|
|
|
7629ac |
+ system call independently of other system calls. Grouping system calls related
|
|
|
7629ac |
+ to the same event is more efficient. See the following example:
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchownat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchownat.rule
|
|
|
7629ac |
new file mode 100644
|
|
|
7629ac |
index 0000000000..c40152d7b0
|
|
|
7629ac |
--- /dev/null
|
|
|
7629ac |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchownat.rule
|
|
|
7629ac |
@@ -0,0 +1,38 @@
|
|
|
7629ac |
+documentation_complete: true
|
|
|
7629ac |
+
|
|
|
7629ac |
+prodtype: rhel7,fedora
|
|
|
7629ac |
+
|
|
|
7629ac |
+title: 'Record Unsuccessul Ownership Changes to Files - fchownat'
|
|
|
7629ac |
+
|
|
|
7629ac |
+description: |-
|
|
|
7629ac |
+ The audit system should collect unsuccessful file ownership change
|
|
|
7629ac |
+ attempts for all users and root.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
7629ac |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
7629ac |
+ startup (the default), add the following lines to a file with suffix
|
|
|
7629ac |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
7629ac |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
7629ac |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ If the system is 64 bit then also add the following lines:
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+
|
|
|
7629ac |
+
|
|
|
7629ac |
+rationale: |-
|
|
|
7629ac |
+ Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
|
|
|
7629ac |
+ these events could serve as evidence of potential system compromise.
|
|
|
7629ac |
+
|
|
|
7629ac |
+severity: medium
|
|
|
7629ac |
+
|
|
|
7629ac |
+{{{ complete_ocil_entry_audit_syscall(syscall="fchownat") }}}
|
|
|
7629ac |
+
|
|
|
7629ac |
+warnings:
|
|
|
7629ac |
+ - general: |-
|
|
|
7629ac |
+ Note that these rules can be configured in a
|
|
|
7629ac |
+ number of ways while still achieving the desired effect. Here the audit rule checks a
|
|
|
7629ac |
+ system call independently of other system calls. Grouping system calls related
|
|
|
7629ac |
+ to the same event is more efficient. See the following example:
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lchown.rule
|
|
|
7629ac |
new file mode 100644
|
|
|
7629ac |
index 0000000000..2293c4afdd
|
|
|
7629ac |
--- /dev/null
|
|
|
7629ac |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lchown.rule
|
|
|
7629ac |
@@ -0,0 +1,38 @@
|
|
|
7629ac |
+documentation_complete: true
|
|
|
7629ac |
+
|
|
|
7629ac |
+prodtype: rhel7,fedora
|
|
|
7629ac |
+
|
|
|
7629ac |
+title: 'Record Unsuccessul Ownership Changes to Files - lchown'
|
|
|
7629ac |
+
|
|
|
7629ac |
+description: |-
|
|
|
7629ac |
+ The audit system should collect unsuccessful file ownership change
|
|
|
7629ac |
+ attempts for all users and root.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
7629ac |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
7629ac |
+ startup (the default), add the following lines to a file with suffix
|
|
|
7629ac |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
7629ac |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
7629ac |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ If the system is 64 bit then also add the following lines:
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+
|
|
|
7629ac |
+
|
|
|
7629ac |
+rationale: |-
|
|
|
7629ac |
+ Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
|
|
|
7629ac |
+ these events could serve as evidence of potential system compromise.
|
|
|
7629ac |
+
|
|
|
7629ac |
+severity: medium
|
|
|
7629ac |
+
|
|
|
7629ac |
+{{{ complete_ocil_entry_audit_syscall(syscall="lchown") }}}
|
|
|
7629ac |
+
|
|
|
7629ac |
+warnings:
|
|
|
7629ac |
+ - general: |-
|
|
|
7629ac |
+ Note that these rules can be configured in a
|
|
|
7629ac |
+ number of ways while still achieving the desired effect. Here the audit rule checks a
|
|
|
7629ac |
+ system call independently of other system calls. Grouping system calls related
|
|
|
7629ac |
+ to the same event is more efficient. See the following example:
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile
|
|
|
7629ac |
index 6ca2b4b58f..5398114123 100644
|
|
|
7629ac |
--- a/rhel7/profiles/ospp42-draft.profile
|
|
|
7629ac |
+++ b/rhel7/profiles/ospp42-draft.profile
|
|
|
7629ac |
@@ -110,9 +110,13 @@ selections:
|
|
|
7629ac |
- audit_rules_execution_setsebool
|
|
|
7629ac |
- audit_rules_mac_modification
|
|
|
7629ac |
- audit_rules_dac_modification_chown
|
|
|
7629ac |
+ - audit_rules_unsuccessful_file_modification_chown
|
|
|
7629ac |
- audit_rules_dac_modification_fchownat
|
|
|
7629ac |
+ - audit_rules_unsuccessful_file_modification_fchownat
|
|
|
7629ac |
- audit_rules_dac_modification_fchown
|
|
|
7629ac |
+ - audit_rules_unsuccessful_file_modification_fchown
|
|
|
7629ac |
- audit_rules_dac_modification_lchown
|
|
|
7629ac |
+ - audit_rules_unsuccessful_file_modification_lchown
|
|
|
7629ac |
- audit_rules_privileged_commands_passwd
|
|
|
7629ac |
- audit_rules_privileged_commands_unix_chkpwd
|
|
|
7629ac |
- audit_rules_privileged_commands_userhelper
|
|
|
7629ac |
diff --git a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv
|
|
|
7629ac |
index 632bd19a68..15cf44c0f4 100644
|
|
|
7629ac |
--- a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv
|
|
|
7629ac |
+++ b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv
|
|
|
7629ac |
@@ -1,5 +1,9 @@
|
|
|
7629ac |
creat
|
|
|
7629ac |
+chown
|
|
|
7629ac |
+fchown
|
|
|
7629ac |
+fchownat
|
|
|
7629ac |
ftruncate
|
|
|
7629ac |
+lchown
|
|
|
7629ac |
open
|
|
|
7629ac |
openat
|
|
|
7629ac |
open_by_handle_at
|
|
|
7629ac |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/default.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/default.pass.sh
|
|
|
7629ac |
new file mode 100644
|
|
|
7629ac |
index 0000000000..4e1e71b717
|
|
|
7629ac |
--- /dev/null
|
|
|
7629ac |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/default.pass.sh
|
|
|
7629ac |
@@ -0,0 +1,8 @@
|
|
|
7629ac |
+#!/bin/bash
|
|
|
7629ac |
+
|
|
|
7629ac |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
7629ac |
+
|
|
|
7629ac |
+echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules
|
|
|
7629ac |
+echo "-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules
|
|
|
7629ac |
+echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules
|
|
|
7629ac |
+echo "-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules
|
|
|
7629ac |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/empty.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/empty.fail.sh
|
|
|
7629ac |
new file mode 100644
|
|
|
7629ac |
index 0000000000..d8e8e0b1dd
|
|
|
7629ac |
--- /dev/null
|
|
|
7629ac |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/empty.fail.sh
|
|
|
7629ac |
@@ -0,0 +1,6 @@
|
|
|
7629ac |
+#!/bin/bash
|
|
|
7629ac |
+
|
|
|
7629ac |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
7629ac |
+
|
|
|
7629ac |
+rm -f /etc/audit/rules.d/*
|
|
|
7629ac |
+> /etc/audit/audit.rules
|
|
|
7629ac |
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/one_filter.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/one_filter.fail.sh
|
|
|
7629ac |
new file mode 100644
|
|
|
7629ac |
index 0000000000..e8691611dc
|
|
|
7629ac |
--- /dev/null
|
|
|
7629ac |
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/one_filter.fail.sh
|
|
|
7629ac |
@@ -0,0 +1,8 @@
|
|
|
7629ac |
+#!/bin/bash
|
|
|
7629ac |
+
|
|
|
7629ac |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
7629ac |
+
|
|
|
7629ac |
+echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules
|
|
|
7629ac |
+echo "-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules
|
|
|
7629ac |
+echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules
|
|
|
7629ac |
+echo "-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules
|