diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chown.rule new file mode 100644 index 0000000000..2d64245ec8 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chown.rule @@ -0,0 +1,38 @@ +documentation_complete: true + +prodtype: rhel7,fedora + +title: 'Record Unsuccessul Ownership Changes to Files - chown' + +description: |- + The audit system should collect unsuccessful file ownership change + attempts for all users and root. + If the auditd daemon is configured + to use the augenrules program to read audit rules during daemon + startup (the default), add the following lines to a file with suffix + .rules in the directory /etc/audit/rules.d. + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file. +
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + -a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change+ If the system is 64 bit then also add the following lines: +
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + -a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change+ + +rationale: |- + Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing + these events could serve as evidence of potential system compromise. + +severity: medium + +{{{ complete_ocil_entry_audit_syscall(syscall="chown") }}} + +warnings: + - general: |- + Note that these rules can be configured in a + number of ways while still achieving the desired effect. Here the audit rule checks a + system call independently of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changediff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchown.rule new file mode 100644 index 0000000000..8835dd2d5f --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchown.rule @@ -0,0 +1,38 @@ +documentation_complete: true + +prodtype: rhel7,fedora + +title: 'Record Unsuccessul Ownership Changes to Files - fchown' + +description: |- + The audit system should collect unsuccessful file ownership change + attempts for all users and root. + If the auditd daemon is configured + to use the augenrules program to read audit rules during daemon + startup (the default), add the following lines to a file with suffix + .rules in the directory /etc/audit/rules.d. + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file. +
-a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + -a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change+ If the system is 64 bit then also add the following lines: +
-a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + -a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change+ + +rationale: |- + Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing + these events could serve as evidence of potential system compromise. + +severity: medium + +{{{ complete_ocil_entry_audit_syscall(syscall="fchown") }}} + +warnings: + - general: |- + Note that these rules can be configured in a + number of ways while still achieving the desired effect. Here the audit rule checks a + system call independently of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changediff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchownat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchownat.rule new file mode 100644 index 0000000000..c40152d7b0 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchownat.rule @@ -0,0 +1,38 @@ +documentation_complete: true + +prodtype: rhel7,fedora + +title: 'Record Unsuccessul Ownership Changes to Files - fchownat' + +description: |- + The audit system should collect unsuccessful file ownership change + attempts for all users and root. + If the auditd daemon is configured + to use the augenrules program to read audit rules during daemon + startup (the default), add the following lines to a file with suffix + .rules in the directory /etc/audit/rules.d. + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file. +
-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + -a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change+ If the system is 64 bit then also add the following lines: +
-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + -a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change+ + +rationale: |- + Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing + these events could serve as evidence of potential system compromise. + +severity: medium + +{{{ complete_ocil_entry_audit_syscall(syscall="fchownat") }}} + +warnings: + - general: |- + Note that these rules can be configured in a + number of ways while still achieving the desired effect. Here the audit rule checks a + system call independently of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changediff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lchown.rule new file mode 100644 index 0000000000..2293c4afdd --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lchown.rule @@ -0,0 +1,38 @@ +documentation_complete: true + +prodtype: rhel7,fedora + +title: 'Record Unsuccessul Ownership Changes to Files - lchown' + +description: |- + The audit system should collect unsuccessful file ownership change + attempts for all users and root. + If the auditd daemon is configured + to use the augenrules program to read audit rules during daemon + startup (the default), add the following lines to a file with suffix + .rules in the directory /etc/audit/rules.d. + If the auditd daemon is configured to use the auditctl + utility to read audit rules during daemon startup, add the following lines to + /etc/audit/audit.rules file. +
-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + -a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change+ If the system is 64 bit then also add the following lines: +
-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + -a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change+ + +rationale: |- + Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing + these events could serve as evidence of potential system compromise. + +severity: medium + +{{{ complete_ocil_entry_audit_syscall(syscall="lchown") }}} + +warnings: + - general: |- + Note that these rules can be configured in a + number of ways while still achieving the desired effect. Here the audit rule checks a + system call independently of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-changediff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile index 6ca2b4b58f..5398114123 100644 --- a/rhel7/profiles/ospp42-draft.profile +++ b/rhel7/profiles/ospp42-draft.profile @@ -110,9 +110,13 @@ selections: - audit_rules_execution_setsebool - audit_rules_mac_modification - audit_rules_dac_modification_chown + - audit_rules_unsuccessful_file_modification_chown - audit_rules_dac_modification_fchownat + - audit_rules_unsuccessful_file_modification_fchownat - audit_rules_dac_modification_fchown + - audit_rules_unsuccessful_file_modification_fchown - audit_rules_dac_modification_lchown + - audit_rules_unsuccessful_file_modification_lchown - audit_rules_privileged_commands_passwd - audit_rules_privileged_commands_unix_chkpwd - audit_rules_privileged_commands_userhelper diff --git a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv index 632bd19a68..15cf44c0f4 100644 --- a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv +++ b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv @@ -1,5 +1,9 @@ creat +chown +fchown +fchownat ftruncate +lchown open openat open_by_handle_at diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/default.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/default.pass.sh new file mode 100644 index 0000000000..4e1e71b717 --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/default.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# profiles = xccdf_org.ssgproject.content_profile_ospp + +echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules +echo "-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules +echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules +echo "-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/empty.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/empty.fail.sh new file mode 100644 index 0000000000..d8e8e0b1dd --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/empty.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# profiles = xccdf_org.ssgproject.content_profile_ospp + +rm -f /etc/audit/rules.d/* +> /etc/audit/audit.rules diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/one_filter.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/one_filter.fail.sh new file mode 100644 index 0000000000..e8691611dc --- /dev/null +++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/one_filter.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# profiles = xccdf_org.ssgproject.content_profile_ospp + +echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules +echo "-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules +echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules +echo "-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules