CCE-94271-4Platform: cpe:/o:oracle:linux:8, cpe:/o:redhat:enterprise_linux:8, cpe:/o:redhat:enterprise_linux:9 | Date: (C)2019-11-07 (M)2023-07-04 |
At a minimum the audit system should collect file permission
changes for all users and root. If the 'auditd' daemon is configured
to use the 'augenrules' program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
'.rules' in the directory '/etc/audit/rules.d':
'-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
If the system is 64 bit then also add the following line:
'-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
If the 'auditd' daemon is configured to use the 'auditctl'
utility to read audit rules during daemon startup, add the following line to
'/etc/audit/audit.rules' file:
'-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
If the system is 64 bit then also add the following line:
'-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
Parameter:
[yes/no]
Technical Mechanism:
The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
CCSS Severity: | CCSS Metrics: |
CCSS Score : 5.9 | Attack Vector: LOCAL |
Exploit Score: 2.5 | Attack Complexity: LOW |
Impact Score: 3.4 | Privileges Required: NONE |
Severity: MEDIUM | User Interaction: NONE |
Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | Scope: UNCHANGED |
| Confidentiality: LOW |
| Integrity: LOW |
| Availability: LOW |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72167 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:84042 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:55712 |