Record Events that Modify the System's Discretionary Access Controls - removexattr
An XCCDF Rule
Description
At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following line to a file with suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the
auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
warning alert: Warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
- ID
- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
- Severity
- Medium
- References
-
SRG-APP-000091-CTR-000160
SRG-APP-000492-CTR-001220
SRG-APP-000493-CTR-001225
SRG-APP-000494-CTR-001230
SRG-APP-000495-CTR-001235
SRG-APP-000496-CTR-001240
SRG-APP-000497-CTR-001245
SRG-APP-000498-CTR-001250
SRG-APP-000499-CTR-001255
SRG-APP-000500-CTR-001260
SRG-APP-000501-CTR-001265
SRG-APP-000502-CTR-001270
SRG-APP-000507-CTR-001295
- Updated