{"description": "At a minimum, the audit system should collect file permission changes\nfor all users and root. If the <tt>auditd</tt> daemon is configured\nto use the <tt>augenrules</tt> program to read audit rules during daemon\nstartup (the default), add the following lines to a file with suffix\n<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:\n\n<pre>-a always,exit -F arch=b32 -S chmod -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-perm-change</pre>\n\nIf the system is 64 bit then also add the following lines:\n<pre>-a always,exit -F arch=b64 -S chmod -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-perm-change</pre>\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following lines to\n<tt>/etc/audit/audit.rules</tt> file:\n<pre>-a always,exit -F arch=b32 -S chmod -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-perm-change</pre>\n\nIf the system is 64 bit then also add the following lines:\n<pre>-a always,exit -F arch=b64 -S chmod -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-perm-change</pre>", "rationale": "File permission changes could be an indicator of malicious activity on a system. Auditing\nthese events could serve as evidence of potential system compromise.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit successful calls\nto the <code>chmod</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"chmod\" /etc/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": ["not aarch64_arch"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": ["not_aarch64_arch"], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Record Successful Permission Changes to Files - chmod", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml", "template": null}