[Forgot Password]
Login  Register Subscribe

30430

 
 

423868

 
 

247768

 
 

909

 
 

194555

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-92660-0

Platform: cpe:/o:ubuntu:ubuntu_linux:18.04Date: (C)2019-11-07   (M)2023-07-04



Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system userids (auid >= 500) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier perm_mod. Rationale: Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.


Parameter:

[yes/no]


Technical Mechanism:

For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 \ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 \ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 \ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 \ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \ lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \ lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 \ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 \ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \ lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd

CCSS Severity:CCSS Metrics:
CCSS Score : 7.3Attack Vector: LOCAL
Exploit Score: 2.5Attack Complexity: LOW
Impact Score: 4.7Privileges Required: NONE
Severity: HIGHUser Interaction: NONE
Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:LScope: UNCHANGED
 Confidentiality: LOW
 Integrity: HIGH
 Availability: LOW
  

References:
Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:51259
OVAL    1
oval:org.secpod.oval:def:51259
XCCDF    1
xccdf_org.secpod_benchmark_general_Ubuntu_18_04

© SecPod Technologies