SV-208900r603263_rule
V-208900
SRG-OS-000064
OL6-00-000191
CAT III
10
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules":
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
If the system is 64-bit, then also add the following:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
To determine if the system is configured to audit calls to the "fsetxattr" system call, run the following command:
$ sudo grep -w "fsetxattr" /etc/audit/audit.rules
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding.
If the system is not configured to audit the "fsetxattr" system call, this is a finding.
V-208900
False
OL6-00-000191
To determine if the system is configured to audit calls to the "fsetxattr" system call, run the following command:
$ sudo grep -w "fsetxattr" /etc/audit/audit.rules
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
-k perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
If the system is 64-bit and does not return a rule for both "b32" and "b64" architectures, this is a finding.
If the system is not configured to audit the "fsetxattr" system call, this is a finding.
M
2928