Configure auditing of unsuccessful ownership changes

Description

Ensure that unsuccessful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above:

## Unsuccessful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change

Load new Audit rules into kernel by running:

augenrules --load

Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.

Rationale

Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities.

ID: xccdf_org.ssgproject.content_rule_audit_owner_change_failed
Severity: Medium
References: AU-2(a)

FAU_GEN.1.1.c

SRG-OS-000064-GPOS-00033 SRG-OS-000462-GPOS-00206 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000466-GPOS-00210 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220
Updated: about 1 year ago