{"description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If the <tt>auditd</tt> daemon is configured\nto use the <tt>augenrules</tt> program to read audit rules during daemon\nstartup (the default), add the following line to a file with suffix\n<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:\n<pre>-a always,exit -F arch=b32 -S fchownat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>\nIf the system is 64 bit then also add the following line:\n<pre>-a always,exit -F arch=b64 -S fchownat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following line to\n<tt>/etc/audit/audit.rules</tt> file:\n<pre>-a always,exit -F arch=b32 -S fchownat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>\nIf the system is 64 bit then also add the following line:\n<pre>-a always,exit -F arch=b64 -S fchownat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>", "rationale": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8", "9"], "cjis": ["5.4.1.1"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI08.02", "DSS01.03", "DSS01.04", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.1.7"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)(ii)(A)", "164.308(a)(5)(ii)(C)", "164.312(a)(2)(i)", "164.312(b)", "164.312(d)", "164.312(e)"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.6.6", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.13", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.6", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.1", "SR 6.2", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.7", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.2.1", "A.6.2.2"], "nist": ["AU-2(d)", "AU-12(c)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "DE.CM-1", "DE.CM-3", "DE.CM-7", "ID.SC-4", "PR.AC-3", "PR.PT-1", "PR.PT-4", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.5.5"], "srg": ["SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", "SRG-OS-000062-GPOS-00031", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215", "SRG-OS-000064-GPOS-00033", "SRG-OS-000466-GPOS-00210", "SRG-OS-000458-GPOS-00203", "SRG-OS-000474-GPOS-00219", "SRG-APP-000091-CTR-000160", "SRG-APP-000492-CTR-001220", "SRG-APP-000493-CTR-001225", "SRG-APP-000494-CTR-001230", "SRG-APP-000500-CTR-001260", "SRG-APP-000507-CTR-001295", "SRG-APP-000495-CTR-001235", "SRG-APP-000499-CTR-001255"], "anssi": ["R73"], "cis": ["6.3.3.9"], "pcidss4": ["10.3.4", "10.3"], "stigid": ["UBTU-22-654160"], "stigref": ["SV-260634r958446_rule"]}, "control_references": {"anssi": ["R73"], "cis": ["6.3.3.9"], "pcidss4": ["10.3.4", "10.3"], "stigid": ["UBTU-22-654160"]}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit calls to the\n<code>fchownat</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"fchownat\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\n", "oval_external_content": null, "fixtext": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"fchownat\" system call by adding or updating the following rules in \"/etc/audit/audit.rules\" and adding the following rules to \"/etc/audit/rules.d/perm_mod.rules\" or updating the existing rules in files in the \"/etc/audit/rules.d/\" directory:\n\n\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod\nIt's allowed to group this system call within the same line as \"chown\", \"fchown\", \"fchownat\" and \"lchown\".\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Successful/unsuccessful uses of the fchownat system call in Ubuntu 22.04 must generate an audit record.", "warnings": [{"general": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Successful/unsuccessful uses of the fchownat system call in Ubuntu 22.04 must generate an audit record.", "vuldiscussion": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.", "checktext": "To determine if the system is configured to audit calls to the\n fchownat  system call, run the following command:\n $ sudo grep \"fchownat\" /etc/audit/audit.*\nIf the system is configured to audit this activity, it will return a line.\n\n\nIf no line is returned, then this is a finding.", "fixtext": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"fchownat\" system call by adding or updating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod\n\nIt's allowed to group this system call within the same line as \"chown\", \"fchown\", \"fchownat\" and \"lchown\".\n\nThe audit daemon must be restarted for the changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Record Events that Modify the System's Discretionary Access Controls - fchownat", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml", "template": {"name": "audit_rules_dac_modification", "vars": {"attr": "fchownat", "syscall_grouping": ["chown", "fchown", "fchownat", "lchown"]}, "backends": {}}}