{"description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to <tt>/etc/audit/audit.rules</tt>:\n\n<pre>-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod\n\n    -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod\n    -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>\nIf your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:\n\n<pre>-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod\n\n    -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod\n    -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>", "warnings": [], "requires": [], "conflicts": [], "values": {}, "groups": {}, "rules": ["audit_rules_dac_modification_chmod", "audit_rules_dac_modification_chown", "audit_rules_dac_modification_fchmod", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_fchmodat2", "audit_rules_dac_modification_fchown", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_lchown", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_setxattr", "audit_rules_dac_modification_umount", "audit_rules_dac_modification_umount2"], "platform": "", "platforms": [], "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "title": "Record Events that Modify the System's Discretionary Access Controls", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/group.yml"}