{"description": "The audit system should collect <tt>sethostname</tt>\nevents for all users and root. If the <tt>auditd</tt> daemon is configured to\nuse the <tt>augenrules</tt> program to read audit rules during daemon startup\n(the default), add the following line to a file with suffix <tt>.rules</tt> in\nthe directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 for\n32-bit system, or having two lines for both b32 and b64 in case your\nsystem is 64-bit:\n<pre>-a always,exit -F arch=ARCH -S sethostname -F auid&gt;=1000 -F auid!=unset -F key=system-locale</pre>\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following line to\n<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 for\n32-bit system, or having two lines for both b32 and b64 in case your\nsystem is 64-bit:\n<pre>-a always,exit -F arch=ARCH -S sethostname -F auid&gt;=1000 -F auid!=unset -F key=system-locale</pre>", "rationale": "Monitoring <tt>sethostname</tt> will identify potential unauthorized\nchanges to host name of a system. The changing of the host name could\npotentially break security parameters that are set based on this name.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit calls to the\n<code>sethostname</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"sethostname\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Record Events that Modify the System's Network Environment - sethostname", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_rules_networkconfig_modification_sethostname/rule.yml", "template": {"name": "audit_rules_dac_modification", "vars": {"attr": "sethostname", "key": "system-locale", "syscall_grouping": ["sethostname", "setdomainname"]}, "backends": {}}}