|
 |
7629ac |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chmod.rule
|
|
|
7629ac |
new file mode 100644
|
|
|
7629ac |
index 0000000000..fc5d1c0b92
|
|
|
7629ac |
--- /dev/null
|
|
|
7629ac |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chmod.rule
|
|
|
7629ac |
@@ -0,0 +1,38 @@
|
|
|
7629ac |
+documentation_complete: true
|
|
|
7629ac |
+
|
|
|
7629ac |
+prodtype: rhel7,fedora
|
|
|
7629ac |
+
|
|
|
7629ac |
+title: 'Record Unsuccessul Permission Changes to Files - chmod'
|
|
|
7629ac |
+
|
|
|
7629ac |
+description: |-
|
|
|
7629ac |
+ The audit system should collect unsuccessful file permission change
|
|
|
7629ac |
+ attempts for all users and root.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
7629ac |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
7629ac |
+ startup (the default), add the following lines to a file with suffix
|
|
|
7629ac |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
7629ac |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
7629ac |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ If the system is 64 bit then also add the following lines:
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+
|
|
|
7629ac |
+
|
|
|
7629ac |
+rationale: |-
|
|
|
7629ac |
+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
|
|
|
7629ac |
+ these events could serve as evidence of potential system compromise.
|
|
|
7629ac |
+
|
|
|
7629ac |
+severity: medium
|
|
|
7629ac |
+
|
|
|
7629ac |
+{{{ complete_ocil_entry_audit_syscall(syscall="chmod") }}}
|
|
|
7629ac |
+
|
|
|
7629ac |
+warnings:
|
|
|
7629ac |
+ - general: |-
|
|
|
7629ac |
+ Note that these rules can be configured in a
|
|
|
7629ac |
+ number of ways while still achieving the desired effect. Here the audit rule checks a
|
|
|
7629ac |
+ system call independently of other system calls. Grouping system calls related
|
|
|
7629ac |
+ to the same event is more efficient. See the following example:
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmod.rule
|
|
|
7629ac |
new file mode 100644
|
|
|
7629ac |
index 0000000000..0b86c9b6b9
|
|
|
7629ac |
--- /dev/null
|
|
|
7629ac |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmod.rule
|
|
|
7629ac |
@@ -0,0 +1,38 @@
|
|
|
7629ac |
+documentation_complete: true
|
|
|
7629ac |
+
|
|
|
7629ac |
+prodtype: rhel7,fedora
|
|
|
7629ac |
+
|
|
|
7629ac |
+title: 'Record Unsuccessul Permission Changes to Files - fchmod'
|
|
|
7629ac |
+
|
|
|
7629ac |
+description: |-
|
|
|
7629ac |
+ The audit system should collect unsuccessful file permission change
|
|
|
7629ac |
+ attempts for all users and root.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
7629ac |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
7629ac |
+ startup (the default), add the following lines to a file with suffix
|
|
|
7629ac |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
7629ac |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
7629ac |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ If the system is 64 bit then also add the following lines:
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+
|
|
|
7629ac |
+
|
|
|
7629ac |
+rationale: |-
|
|
|
7629ac |
+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
|
|
|
7629ac |
+ these events could serve as evidence of potential system compromise.
|
|
|
7629ac |
+
|
|
|
7629ac |
+severity: medium
|
|
|
7629ac |
+
|
|
|
7629ac |
+{{{ complete_ocil_entry_audit_syscall(syscall="fchmod") }}}
|
|
|
7629ac |
+
|
|
|
7629ac |
+warnings:
|
|
|
7629ac |
+ - general: |-
|
|
|
7629ac |
+ Note that these rules can be configured in a
|
|
|
7629ac |
+ number of ways while still achieving the desired effect. Here the audit rule checks a
|
|
|
7629ac |
+ system call independently of other system calls. Grouping system calls related
|
|
|
7629ac |
+ to the same event is more efficient. See the following example:
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmodat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmodat.rule
|
|
|
7629ac |
new file mode 100644
|
|
|
7629ac |
index 0000000000..6b9a4796ca
|
|
|
7629ac |
--- /dev/null
|
|
|
7629ac |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmodat.rule
|
|
|
7629ac |
@@ -0,0 +1,38 @@
|
|
|
7629ac |
+documentation_complete: true
|
|
|
7629ac |
+
|
|
|
7629ac |
+prodtype: rhel7,fedora
|
|
|
7629ac |
+
|
|
|
7629ac |
+title: 'Record Unsuccessul Permission Changes to Files - fchmodat'
|
|
|
7629ac |
+
|
|
|
7629ac |
+description: |-
|
|
|
7629ac |
+ The audit system should collect unsuccessful file permission change
|
|
|
7629ac |
+ attempts for all users and root.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
7629ac |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
7629ac |
+ startup (the default), add the following lines to a file with suffix
|
|
|
7629ac |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
7629ac |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
7629ac |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ If the system is 64 bit then also add the following lines:
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+
|
|
|
7629ac |
+
|
|
|
7629ac |
+rationale: |-
|
|
|
7629ac |
+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
|
|
|
7629ac |
+ these events could serve as evidence of potential system compromise.
|
|
|
7629ac |
+
|
|
|
7629ac |
+severity: medium
|
|
|
7629ac |
+
|
|
|
7629ac |
+{{{ complete_ocil_entry_audit_syscall(syscall="fchmodat") }}}
|
|
|
7629ac |
+
|
|
|
7629ac |
+warnings:
|
|
|
7629ac |
+ - general: |-
|
|
|
7629ac |
+ Note that these rules can be configured in a
|
|
|
7629ac |
+ number of ways while still achieving the desired effect. Here the audit rule checks a
|
|
|
7629ac |
+ system call independently of other system calls. Grouping system calls related
|
|
|
7629ac |
+ to the same event is more efficient. See the following example:
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr.rule
|
|
|
7629ac |
new file mode 100644
|
|
|
7629ac |
index 0000000000..7a20898b00
|
|
|
7629ac |
--- /dev/null
|
|
|
7629ac |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr.rule
|
|
|
7629ac |
@@ -0,0 +1,38 @@
|
|
|
7629ac |
+documentation_complete: true
|
|
|
7629ac |
+
|
|
|
7629ac |
+prodtype: rhel7,fedora
|
|
|
7629ac |
+
|
|
|
7629ac |
+title: 'Record Unsuccessul Permission Changes to Files - fremovexattr'
|
|
|
7629ac |
+
|
|
|
7629ac |
+description: |-
|
|
|
7629ac |
+ The audit system should collect unsuccessful file permission change
|
|
|
7629ac |
+ attempts for all users and root.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
7629ac |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
7629ac |
+ startup (the default), add the following lines to a file with suffix
|
|
|
7629ac |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
7629ac |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
7629ac |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ If the system is 64 bit then also add the following lines:
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+
|
|
|
7629ac |
+
|
|
|
7629ac |
+rationale: |-
|
|
|
7629ac |
+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
|
|
|
7629ac |
+ these events could serve as evidence of potential system compromise.
|
|
|
7629ac |
+
|
|
|
7629ac |
+severity: medium
|
|
|
7629ac |
+
|
|
|
7629ac |
+{{{ complete_ocil_entry_audit_syscall(syscall="fremovexattr") }}}
|
|
|
7629ac |
+
|
|
|
7629ac |
+warnings:
|
|
|
7629ac |
+ - general: |-
|
|
|
7629ac |
+ Note that these rules can be configured in a
|
|
|
7629ac |
+ number of ways while still achieving the desired effect. Here the audit rule checks a
|
|
|
7629ac |
+ system call independently of other system calls. Grouping system calls related
|
|
|
7629ac |
+ to the same event is more efficient. See the following example:
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr.rule
|
|
|
7629ac |
new file mode 100644
|
|
|
7629ac |
index 0000000000..aa2d8fddf1
|
|
|
7629ac |
--- /dev/null
|
|
|
7629ac |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr.rule
|
|
|
7629ac |
@@ -0,0 +1,38 @@
|
|
|
7629ac |
+documentation_complete: true
|
|
|
7629ac |
+
|
|
|
7629ac |
+prodtype: rhel7,fedora
|
|
|
7629ac |
+
|
|
|
7629ac |
+title: 'Record Unsuccessul Permission Changes to Files - fsetxattr'
|
|
|
7629ac |
+
|
|
|
7629ac |
+description: |-
|
|
|
7629ac |
+ The audit system should collect unsuccessful file permission change
|
|
|
7629ac |
+ attempts for all users and root.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
7629ac |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
7629ac |
+ startup (the default), add the following lines to a file with suffix
|
|
|
7629ac |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
7629ac |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
7629ac |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ If the system is 64 bit then also add the following lines:
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+
|
|
|
7629ac |
+
|
|
|
7629ac |
+rationale: |-
|
|
|
7629ac |
+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
|
|
|
7629ac |
+ these events could serve as evidence of potential system compromise.
|
|
|
7629ac |
+
|
|
|
7629ac |
+severity: medium
|
|
|
7629ac |
+
|
|
|
7629ac |
+{{{ complete_ocil_entry_audit_syscall(syscall="fsetxattr") }}}
|
|
|
7629ac |
+
|
|
|
7629ac |
+warnings:
|
|
|
7629ac |
+ - general: |-
|
|
|
7629ac |
+ Note that these rules can be configured in a
|
|
|
7629ac |
+ number of ways while still achieving the desired effect. Here the audit rule checks a
|
|
|
7629ac |
+ system call independently of other system calls. Grouping system calls related
|
|
|
7629ac |
+ to the same event is more efficient. See the following example:
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr.rule
|
|
|
7629ac |
new file mode 100644
|
|
|
7629ac |
index 0000000000..ceac04e986
|
|
|
7629ac |
--- /dev/null
|
|
|
7629ac |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr.rule
|
|
|
7629ac |
@@ -0,0 +1,38 @@
|
|
|
7629ac |
+documentation_complete: true
|
|
|
7629ac |
+
|
|
|
7629ac |
+prodtype: rhel7,fedora
|
|
|
7629ac |
+
|
|
|
7629ac |
+title: 'Record Unsuccessul Permission Changes to Files - lremovexattr'
|
|
|
7629ac |
+
|
|
|
7629ac |
+description: |-
|
|
|
7629ac |
+ The audit system should collect unsuccessful file permission change
|
|
|
7629ac |
+ attempts for all users and root.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
7629ac |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
7629ac |
+ startup (the default), add the following lines to a file with suffix
|
|
|
7629ac |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
7629ac |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
7629ac |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ If the system is 64 bit then also add the following lines:
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+
|
|
|
7629ac |
+
|
|
|
7629ac |
+rationale: |-
|
|
|
7629ac |
+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
|
|
|
7629ac |
+ these events could serve as evidence of potential system compromise.
|
|
|
7629ac |
+
|
|
|
7629ac |
+severity: medium
|
|
|
7629ac |
+
|
|
|
7629ac |
+{{{ complete_ocil_entry_audit_syscall(syscall="lremovexattr") }}}
|
|
|
7629ac |
+
|
|
|
7629ac |
+warnings:
|
|
|
7629ac |
+ - general: |-
|
|
|
7629ac |
+ Note that these rules can be configured in a
|
|
|
7629ac |
+ number of ways while still achieving the desired effect. Here the audit rule checks a
|
|
|
7629ac |
+ system call independently of other system calls. Grouping system calls related
|
|
|
7629ac |
+ to the same event is more efficient. See the following example:
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr.rule
|
|
|
7629ac |
new file mode 100644
|
|
|
7629ac |
index 0000000000..6ff2f59d03
|
|
|
7629ac |
--- /dev/null
|
|
|
7629ac |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr.rule
|
|
|
7629ac |
@@ -0,0 +1,38 @@
|
|
|
7629ac |
+documentation_complete: true
|
|
|
7629ac |
+
|
|
|
7629ac |
+prodtype: rhel7,fedora
|
|
|
7629ac |
+
|
|
|
7629ac |
+title: 'Record Unsuccessul Permission Changes to Files - lsetxattr'
|
|
|
7629ac |
+
|
|
|
7629ac |
+description: |-
|
|
|
7629ac |
+ The audit system should collect unsuccessful file permission change
|
|
|
7629ac |
+ attempts for all users and root.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
7629ac |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
7629ac |
+ startup (the default), add the following lines to a file with suffix
|
|
|
7629ac |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
7629ac |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
7629ac |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ If the system is 64 bit then also add the following lines:
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+
|
|
|
7629ac |
+
|
|
|
7629ac |
+rationale: |-
|
|
|
7629ac |
+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
|
|
|
7629ac |
+ these events could serve as evidence of potential system compromise.
|
|
|
7629ac |
+
|
|
|
7629ac |
+severity: medium
|
|
|
7629ac |
+
|
|
|
7629ac |
+{{{ complete_ocil_entry_audit_syscall(syscall="lsetxattr") }}}
|
|
|
7629ac |
+
|
|
|
7629ac |
+warnings:
|
|
|
7629ac |
+ - general: |-
|
|
|
7629ac |
+ Note that these rules can be configured in a
|
|
|
7629ac |
+ number of ways while still achieving the desired effect. Here the audit rule checks a
|
|
|
7629ac |
+ system call independently of other system calls. Grouping system calls related
|
|
|
7629ac |
+ to the same event is more efficient. See the following example:
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_removexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_removexattr.rule
|
|
|
7629ac |
new file mode 100644
|
|
|
7629ac |
index 0000000000..b8946872d7
|
|
|
7629ac |
--- /dev/null
|
|
|
7629ac |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_removexattr.rule
|
|
|
7629ac |
@@ -0,0 +1,38 @@
|
|
|
7629ac |
+documentation_complete: true
|
|
|
7629ac |
+
|
|
|
7629ac |
+prodtype: rhel7,fedora
|
|
|
7629ac |
+
|
|
|
7629ac |
+title: 'Record Unsuccessul Permission Changes to Files - removexattr'
|
|
|
7629ac |
+
|
|
|
7629ac |
+description: |-
|
|
|
7629ac |
+ The audit system should collect unsuccessful file permission change
|
|
|
7629ac |
+ attempts for all users and root.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
7629ac |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
7629ac |
+ startup (the default), add the following lines to a file with suffix
|
|
|
7629ac |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
7629ac |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
7629ac |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ If the system is 64 bit then also add the following lines:
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+
|
|
|
7629ac |
+
|
|
|
7629ac |
+rationale: |-
|
|
|
7629ac |
+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
|
|
|
7629ac |
+ these events could serve as evidence of potential system compromise.
|
|
|
7629ac |
+
|
|
|
7629ac |
+severity: medium
|
|
|
7629ac |
+
|
|
|
7629ac |
+{{{ complete_ocil_entry_audit_syscall(syscall="removexattr") }}}
|
|
|
7629ac |
+
|
|
|
7629ac |
+warnings:
|
|
|
7629ac |
+ - general: |-
|
|
|
7629ac |
+ Note that these rules can be configured in a
|
|
|
7629ac |
+ number of ways while still achieving the desired effect. Here the audit rule checks a
|
|
|
7629ac |
+ system call independently of other system calls. Grouping system calls related
|
|
|
7629ac |
+ to the same event is more efficient. See the following example:
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_setxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_setxattr.rule
|
|
|
7629ac |
new file mode 100644
|
|
|
7629ac |
index 0000000000..a14cc93628
|
|
|
7629ac |
--- /dev/null
|
|
|
7629ac |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_setxattr.rule
|
|
|
7629ac |
@@ -0,0 +1,38 @@
|
|
|
7629ac |
+documentation_complete: true
|
|
|
7629ac |
+
|
|
|
7629ac |
+prodtype: rhel7,fedora
|
|
|
7629ac |
+
|
|
|
7629ac |
+title: 'Record Unsuccessul Permission Changes to Files - setxattr'
|
|
|
7629ac |
+
|
|
|
7629ac |
+description: |-
|
|
|
7629ac |
+ The audit system should collect unsuccessful file permission change
|
|
|
7629ac |
+ attempts for all users and root.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured
|
|
|
7629ac |
+ to use the <tt>augenrules</tt> program to read audit rules during daemon
|
|
|
7629ac |
+ startup (the default), add the following lines to a file with suffix
|
|
|
7629ac |
+ <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
|
|
|
7629ac |
+ If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
|
|
|
7629ac |
+ utility to read audit rules during daemon startup, add the following lines to
|
|
|
7629ac |
+ <tt>/etc/audit/audit.rules</tt> file.
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ If the system is 64 bit then also add the following lines:
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+ -a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
+
|
|
|
7629ac |
+
|
|
|
7629ac |
+rationale: |-
|
|
|
7629ac |
+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
|
|
|
7629ac |
+ these events could serve as evidence of potential system compromise.
|
|
|
7629ac |
+
|
|
|
7629ac |
+severity: medium
|
|
|
7629ac |
+
|
|
|
7629ac |
+{{{ complete_ocil_entry_audit_syscall(syscall="setxattr") }}}
|
|
|
7629ac |
+
|
|
|
7629ac |
+warnings:
|
|
|
7629ac |
+ - general: |-
|
|
|
7629ac |
+ Note that these rules can be configured in a
|
|
|
7629ac |
+ number of ways while still achieving the desired effect. Here the audit rule checks a
|
|
|
7629ac |
+ system call independently of other system calls. Grouping system calls related
|
|
|
7629ac |
+ to the same event is more efficient. See the following example:
|
|
|
7629ac |
+ -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
|
|
7629ac |
diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile
|
|
|
7629ac |
index 42c1e98e39..9802576814 100644
|
|
|
7629ac |
--- a/rhel7/profiles/ospp42-draft.profile
|
|
|
7629ac |
+++ b/rhel7/profiles/ospp42-draft.profile
|
|
|
7629ac |
@@ -108,6 +108,15 @@ selections:
|
|
|
7629ac |
- audit_rules_dac_modification_lsetxattr
|
|
|
7629ac |
- audit_rules_dac_modification_removexattr
|
|
|
7629ac |
- audit_rules_dac_modification_setxattr
|
|
|
7629ac |
+ - audit_rules_unsuccessful_file_modification_chmod
|
|
|
7629ac |
+ - audit_rules_unsuccessful_file_modification_fchmodat
|
|
|
7629ac |
+ - audit_rules_unsuccessful_file_modification_fchmod
|
|
|
7629ac |
+ - audit_rules_unsuccessful_file_modification_fremovexattr
|
|
|
7629ac |
+ - audit_rules_unsuccessful_file_modification_fsetxattr
|
|
|
7629ac |
+ - audit_rules_unsuccessful_file_modification_lremovexattr
|
|
|
7629ac |
+ - audit_rules_unsuccessful_file_modification_lsetxattr
|
|
|
7629ac |
+ - audit_rules_unsuccessful_file_modification_removexattr
|
|
|
7629ac |
+ - audit_rules_unsuccessful_file_modification_setxattr
|
|
|
7629ac |
- audit_rules_execution_chcon
|
|
|
7629ac |
- audit_rules_execution_restorecon
|
|
|
7629ac |
- audit_rules_execution_semanage
|
|
|
7629ac |
diff --git a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv
|
|
|
7629ac |
index 61b81a2ae0..5cc029eb92 100644
|
|
|
7629ac |
--- a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv
|
|
|
7629ac |
+++ b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv
|
|
|
7629ac |
@@ -1,14 +1,23 @@
|
|
|
7629ac |
creat
|
|
|
7629ac |
+chmod
|
|
|
7629ac |
chown
|
|
|
7629ac |
+fchmod
|
|
|
7629ac |
+fchmodat
|
|
|
7629ac |
fchown
|
|
|
7629ac |
fchownat
|
|
|
7629ac |
+fremovexattr
|
|
|
7629ac |
+fsetxattr
|
|
|
7629ac |
ftruncate
|
|
|
7629ac |
lchown
|
|
|
7629ac |
+lremovexattr
|
|
|
7629ac |
+lsetxattr
|
|
|
7629ac |
open
|
|
|
7629ac |
openat
|
|
|
7629ac |
open_by_handle_at
|
|
|
7629ac |
+removexattr
|
|
|
7629ac |
rename
|
|
|
7629ac |
renameat
|
|
|
7629ac |
+setxattr
|
|
|
7629ac |
truncate
|
|
|
7629ac |
unlink
|
|
|
7629ac |
unlinkat
|