Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd
An XCCDF Rule
Description
The audit system should collect write events to /etc/passwd file for all users and root.
If the auditd
daemon is configured
to use the augenrules
program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modifyIf the
auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modifyIf the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
warning alert: Warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
Rationale
Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
- ID
- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
- Severity
- Medium
- References
- Updated
Remediation - Kubernetes Patch
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition: