[PATCH 0/2] updated setuid/setgid OVAL checks
by Jeffrey Blank
This is a notification of push of (slightly modified) OVAL code
submitted by Rui, as described here:
https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-July/00...
Thanks Rui!
Ideally we would be able to "pass" any setuid/setgid program
that was installed as part of an RPM. Til then, this is a big
improvement from the previous check (which could never pass).
Furthermore, this is easy for other users to tailor to their
environments.
It also gets "make validate" (OVAL schematron validation) closer to passing,
since it corrects the use of the deprecated check_existence="none_exist"
attribute in the unix:file_test.
Jeffrey Blank (2):
Added line to indicate test output file, to OVAL testing script
new versions of unauth suid/sgid OVAL checks
.../checks/file_permissions_unauthorized_sgid.xml | 60 ++++++++++++--
.../checks/file_permissions_unauthorized_suid.xml | 86 +++++++++++++++++--
RHEL6/input/checks/testcheck.py | 1 +
3 files changed, 129 insertions(+), 18 deletions(-)
10 years, 9 months
[PATCH 0/2] closing in on OVAL schematron validation
by Jeffrey Blank
This is about taking care of the output from "make validate",
which remains a testament to how little motivation
exists to maintain OVAL.
Jeffrey Blank (2):
removal of invalid state child element in /var/log/audit ownership
test
removal of invalid state child element in world-writable files test
.../input/checks/file_ownership_var_log_audit.xml | 8 ++++++--
...ile_permissions_unauthorized_world_writable.xml | 1 -
2 files changed, 6 insertions(+), 3 deletions(-)
10 years, 9 months
Question about RHEL-06-000185
by Trevor Vaughan
All,
I've been running in compliance with this rule for quite some time now and
I'm noticing that the amount of noise that it produces is simply outrageous.
The suggestion is:
At a minimum the audit system should collect file permission changes for
all users and root. Add the following to "/etc/audit/audit.rules":
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \
-k perm_mod
If the system is 64 bit then also add the following:
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \
-k perm_mod
And here is the output of a normal workstation over about a week of
auditing and normal usage:
Syscall Summary Report
==========================
total syscall
==========================
24907 chmod
15870 chown
11169 rename
7409 open
6462 fchmod
5290 fchown
3687 umount2
1443 setsid
1166 fsetxattr
869 removexattr
456 adjtimex
360 fchmodat
337 lchown
211 setuid
69 mkdir
63 setsockopt
33 unlink
22 setxattr
20 clone
19 execve
7 fchownat
7 mount
7 creat
4 close
4 ioctl
3 symlink
2 mknod
1 rmdir
1 lsetxattr
1 clock_settime
1 capset
So, I get why this can be useful. But I'm not so sure that it's useful to
know that Pidgin dropped a new temp file every few minutes or that, each
time I open a file (and write a temp file), that I did this as a normal
user.
I just can't see the practicality of going through those top three calls on
a regular basis.
I'm not necessarily suggesting that this type of thing be dropped but I'd
like to understand how auditors won't fall into just ignoring them
completely.
Thoughts?
Thanks,
Trevor
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan(a)onyxpoint.com
-- This account not approved for unencrypted proprietary information --
10 years, 9 months
note for the USGCB tickets
by Jeffrey Blank
Shawn (et al),
The ticketing system shows me you'd opened up a bunch of tickets to add
a "New rule" for items which were in the old RHEL 5 USGCB profile.
Okay, great, this helps with ensuring there is continuation of that
profile/baseline with some consistency.
A few notes:
1) I've been able to close some of the tickets as "fixed", providing
explanation as to why. Some of them are being handled through other
mechanisms for RHEL 6.
2) If anybody starts executing on the other tickets, the goal is NOT to
add new rules as the ticket says, but rather to conduct investigation to
see if the Rule is applicable to RHEL 6 in the same way it was
applicable to RHEL 5.
3) In the ticket titles, there is some of the odd CCE language which
talks about disabling/enabling things "as appropriate". That's fine as
an identifier (and the RHEL 6 USGCB did use some of this language).
However, this style of language, which is intended for neither a human
nor a machine, should never appear in the project's XCCDF. (Just in case
anybody gets any ideas.)
Thanks,
Jeff
--
___________________________
Jeffrey Blank
410-854-8675
Technology and Systems Analysis / Network Components
NSA Information Assurance
10 years, 9 months
Suggestion for RHEL-06-000198
by Trevor Vaughan
All,
Currently the remediation text for RHEL-06-000198 reads as:
At a minimum the audit system should collect the execution of privileged
commands for all users and root. To find the relevant setuid programs:
# find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null
Then, for each setuid program on the system, add a line of the following
form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path
to each setuid program in the list:
-a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -F
auid!=4294967295 -k privileged
I would like to suggest that this be changed to
Add the following to audit.rules:
-a always,exit -F arch=b64 -F euid=0 -F uid!=0 -S execve -k suid-root-exec
-a always,exit -F arch=b64 -F egid=0 -F gid!=0 -S execve -k sgid-root-exec
-a always,exit -F arch=b32 -F euid=0 -F uid!=0 -S execve -k suid-root-exec
-a always,exit -F arch=b32 -F egid=0 -F gid!=0 -S execve -k sgid-root-exec
>From my testing, this appears to catch the execution of all suid/sgit
binaries without digging all over the system to figure out what they are.
As an added bonus, you get to find out about binaries that pop onto your
system for a brief period.
Thanks,
Trevor
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan(a)onyxpoint.com
-- This account not approved for unencrypted proprietary information --
10 years, 9 months
[PATCH] Removing '\' from audit rule lines to prevent confusion.
by Maura Dailey
Attempting to copy and paste the auditing rules as is into /etc/audit/audit.rules won't
work if the '\' characters are left in. Experienced sysadmins MIGHT catch this and remove
them, but in my opinion, the benefit of having tidier printouts of auditing rules doesn't
outweigh the risk that users will be unable to correctly diagnose the resulting errors if
they copy and paste from the HTML version of the guide. No mention is given anywhere in
the prose that these line extension characters should be removed, and users that are
unfamiliar with audit rule formatting might assume that the '\' characters are a required
field.
- Maura Dailey
Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil>
---
RHEL6/input/system/auditing.xml | 107 +++++++++++++--------------------------
1 files changed, 35 insertions(+), 72 deletions(-)
diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml
index 1c907bd..e9cac2c 100644
--- a/RHEL6/input/system/auditing.xml
+++ b/RHEL6/input/system/auditing.xml
@@ -750,22 +750,14 @@ calls. Additionally, these rules can be configured in a number of ways while
still achieving the desired effect. An example of this is that the "-S" calls
could be split up and placed on separate lines, however, this is less efficient.
Add the following to <tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat \
- -F auid>=500 -F auid!=4294967295 -k perm_mod
- -a always,exit -F arch=b32 -S chown -S fchown -S fchownat \
- -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
- -a always,exit -F arch=b32 -S setxattr -S lsetxattr \
- -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr \
- -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
+ -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
+ -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If your system is 64 bit then these lines should be duplicated and the
arch=b32 replaced with arch=b64 as follows:
-<pre>-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat \
- -F auid>=500 -F auid!=4294967295 -k perm_mod
- -a always,exit -F arch=b64 -S chown -S fchown -S fchownat \
- -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
- -a always,exit -F arch=b64 -S setxattr -S lsetxattr \
- -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr \
- -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
+ -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
+ -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<rationale>The changing of file permissions could indicate that a user is
attempting to gain access to information that would otherwise be disallowed.
@@ -777,11 +769,9 @@ abuse among both authorized and unauthorized users.</rationale>
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<rationale>The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
@@ -805,11 +795,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="chown" />
@@ -833,11 +821,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="fchmod" />
@@ -861,11 +847,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="fchmodat" />
@@ -889,11 +873,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="fchown" />
@@ -917,11 +899,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="fchownat" />
@@ -945,11 +925,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="fremovexattr" />
@@ -973,11 +951,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="fsetxattr" />
@@ -1001,11 +977,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="lchown" />
@@ -1029,11 +1003,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="lremovexattr" />
@@ -1057,11 +1029,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="lsetxattr" />
@@ -1085,11 +1055,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="removexattr" />
@@ -1113,11 +1081,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="setxattr" />
@@ -1176,10 +1142,8 @@ as an attacker attempting to remove evidence of an intrusion.</rationale>
unauthorized file accesses for all users and root. Add the following
to <tt>/etc/audit/audit.rules</tt>, setting ARCH to either b32 or b64 as
appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
- -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
--a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
- -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access</pre>
+<pre>-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
+-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access</pre>
</description>
<ocil clause="either command lacks output">
To verify that the audit system collects unauthorized file accesses, run the following commands:
@@ -1250,8 +1214,7 @@ loss.</rationale>
deletion events for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>, setting ARCH to either b32 or b64 as
appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat \
- -F auid>=500 -F auid!=4294967295 -k delete</pre>
+<pre>-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="unlink" />
--
1.7.1
10 years, 9 months
[PATCH] Removing backslash from audit rule lines to prevent confusion.
by Maura Dailey
Attempting to copy and paste the auditing rules as is into /etc/audit/audit.rules won't
work if the '\' characters are left in. Experienced sysadmins MIGHT catch this and remove
them, but in my opinion, the benefit of having tidier printouts of auditing rules doesn't
outweigh the risk that users will be unable to correctly diagnose the resulting errors if
they copy and paste from the HTML version of the guide. No mention is given anywhere in
the prose that these line extension characters should be removed, and users that are
unfamiliar with audit rule formatting might assume that the '\' characters are a required
field.
- Maura Dailey
Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil>
---
RHEL6/input/system/auditing.xml | 107 +++++++++++++--------------------------
1 files changed, 35 insertions(+), 72 deletions(-)
diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml
index 1c907bd..e9cac2c 100644
--- a/RHEL6/input/system/auditing.xml
+++ b/RHEL6/input/system/auditing.xml
@@ -750,22 +750,14 @@ calls. Additionally, these rules can be configured in a number of ways while
still achieving the desired effect. An example of this is that the "-S" calls
could be split up and placed on separate lines, however, this is less efficient.
Add the following to <tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat \
- -F auid>=500 -F auid!=4294967295 -k perm_mod
- -a always,exit -F arch=b32 -S chown -S fchown -S fchownat \
- -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
- -a always,exit -F arch=b32 -S setxattr -S lsetxattr \
- -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr \
- -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
+ -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
+ -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If your system is 64 bit then these lines should be duplicated and the
arch=b32 replaced with arch=b64 as follows:
-<pre>-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat \
- -F auid>=500 -F auid!=4294967295 -k perm_mod
- -a always,exit -F arch=b64 -S chown -S fchown -S fchownat \
- -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
- -a always,exit -F arch=b64 -S setxattr -S lsetxattr \
- -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr \
- -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
+ -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
+ -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<rationale>The changing of file permissions could indicate that a user is
attempting to gain access to information that would otherwise be disallowed.
@@ -777,11 +769,9 @@ abuse among both authorized and unauthorized users.</rationale>
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<rationale>The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
@@ -805,11 +795,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="chown" />
@@ -833,11 +821,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="fchmod" />
@@ -861,11 +847,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="fchmodat" />
@@ -889,11 +873,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="fchown" />
@@ -917,11 +899,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="fchownat" />
@@ -945,11 +925,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="fremovexattr" />
@@ -973,11 +951,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="fsetxattr" />
@@ -1001,11 +977,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="lchown" />
@@ -1029,11 +1003,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="lremovexattr" />
@@ -1057,11 +1029,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="lsetxattr" />
@@ -1085,11 +1055,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="removexattr" />
@@ -1113,11 +1081,9 @@ calls with others as identifying earlier in this guide is more efficient.
<description>At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>:
-<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following:
-<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 \
- -k perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="setxattr" />
@@ -1176,10 +1142,8 @@ as an attacker attempting to remove evidence of an intrusion.</rationale>
unauthorized file accesses for all users and root. Add the following
to <tt>/etc/audit/audit.rules</tt>, setting ARCH to either b32 or b64 as
appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
- -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
--a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \
- -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access</pre>
+<pre>-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
+-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access</pre>
</description>
<ocil clause="either command lacks output">
To verify that the audit system collects unauthorized file accesses, run the following commands:
@@ -1250,8 +1214,7 @@ loss.</rationale>
deletion events for all users and root. Add the following to
<tt>/etc/audit/audit.rules</tt>, setting ARCH to either b32 or b64 as
appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat \
- -F auid>=500 -F auid!=4294967295 -k delete</pre>
+<pre>-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete</pre>
</description>
<ocil>
<audit-syscall-check-macro syscall="unlink" />
--
1.7.1
10 years, 9 months
