[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-95085-7

Platform: cpe:/o:ubuntu:ubuntu_linux:20.04,cpe:/o:ubuntu:ubuntu_linux:22.04, cpe:/o:ubuntu:ubuntu_linux:23.04Date: (C)2020-10-15   (M)2023-09-01



Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre- login), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files. Rationale: Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier system-locale.


Parameter:

[yes/no]


Technical Mechanism:

For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd

CCSS Severity:CCSS Metrics:
CCSS Score : 4.2Attack Vector: LOCAL
Exploit Score: 0.8Attack Complexity: LOW
Impact Score: 3.4Privileges Required: HIGH
Severity: MEDIUMUser Interaction: NONE
Vector: AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:LScope: UNCHANGED
 Confidentiality: LOW
 Integrity: LOW
 Availability: LOW
  

References:
Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:85159
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:65970
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:92278


OVAL    3
oval:org.secpod.oval:def:92278
oval:org.secpod.oval:def:85159
oval:org.secpod.oval:def:65970
XCCDF    3
xccdf_org.secpod_benchmark_general_Ubuntu_23.04
xccdf_org.secpod_benchmark_general_Ubuntu_22.04
xccdf_org.secpod_benchmark_general_Ubuntu_20.04

© SecPod Technologies