>From b361f6fe3dd4268adcf50df936309585b6fc713a Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Wed, 4 Jul 2012 02:17:21 -0400 Subject: [PATCH 09/11] Updated audit_dac_actions
- Changed title of audit_dac_actions to match style of MAC rule title - MAC and DAC auditing placed immediately after each other increases readability of the guide - Mapped to CCI-126 --- rhel6/src/input/system/auditing.xml | 48 +++++++++++++++++----------------- 1 files changed, 24 insertions(+), 24 deletions(-) diff --git a/rhel6/src/input/system/auditing.xml b/rhel6/src/input/system/auditing.xml index 2ab0adf..0633724 100644 --- a/rhel6/src/input/system/auditing.xml +++ b/rhel6/src/input/system/auditing.xml @@ -535,6 +535,30 @@ MAC policy should be audited.</rationale> <ref nist="AU-2" /> </Rule> +<Rule id="audit_dac_actions"> +<title>Record Events that Modify the System's Discretionary +Access Controls</title> +<description>At a minimum the audit system should collect file +permission changes for all users and root. Add the following to +<tt>/etc/audit/audit.rules</tt>, setting ARCH to either b32 or b64 as +appropriate for your system: +<pre>-a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat \ + -F auid>=500 -F auid!=4294967295 -k perm_mod + -a always,exit -F arch=ARCH -S chown -S fchown -S fchownat \ + -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod + -a always,exit -F arch=ARCH -S setxattr -S lsetxattr \ + -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr \ + -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> +</description> +<rationale>The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse amoung both authorized and +unauthorized users.</rationale> +<ident cce="14058-2" /> +<oval id="audit_rules_dac_modification" /> +<ref nist="AU-2" disa="126"/> +</Rule> + <Rule id="audit_manual_logon_edits"> <title> Record Attempts to Alter Logon and Logout Events</title> <description> @@ -567,30 +591,6 @@ as an attacker attempting to remove evidence of an intrusion.</rationale> <!--<ref nist="TODO" />--> </Rule> -<Rule id="audit_dac_actions"> -<title>Ensure <tt>auditd</tt> Collects Discretionary Access Control -Permission Modification Events</title> -<description>At a minimum the audit system should collect file -permission changes for all users and root. Add the following to -<tt>/etc/audit/audit.rules</tt>, setting ARCH to either b32 or b64 as -appropriate for your system: -<pre>-a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat \ - -F auid>=500 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=ARCH -S chown -S fchown -S fchownat \ - -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=ARCH -S setxattr -S lsetxattr \ - -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr \ - -F auid>=500 -F auid!=4294967295 -k perm_mod</pre> -</description> -<rationale>The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse amoung both authorized and -unauthorized users.</rationale> -<ident cce="14058-2" /> -<oval id="audit_rules_dac_modification" /> -<ref nist="AU-2" /> -</Rule> - <Rule id="audit_file_access"> <title>Ensure <tt>auditd</tt> Collects Unauthorized Access Attempts to Files (unsuccessful)</title> <description>At a minimum the audit system should collect -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://fedorahosted.org/mailman/listinfo/scap-security-guide
