At a minimum the audit system should collect file permission
changes for all users and root. If the 'auditd' daemon is configured
to use the 'augenrules' program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
'.rules' in the directory '/etc/audit/rules.d':
'-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
If the system is 64 bit then also add the following line:
'-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
If the 'auditd' daemon is configured to use the 'auditctl'
utility to read audit rules during daemon startup, add the following line to
'/etc/audit/audit.rules' file:
'-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
If the system is 64 bit then also add the following line:
'-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod'
[yes/no]
The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
oval:org.secpod.oval:def:48283
oval:org.secpod.oval:def:48914
SCAP Repo OVAL Definition
2018-11-08