{"description": "The audit system should collect unsuccessful file permission change\nattempts for all users and root.\nIf the <tt>auditd</tt> daemon is configured\nto use the <tt>augenrules</tt> program to read audit rules during daemon\nstartup (the default), add the following lines to a file with suffix\n<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following lines to\n<tt>/etc/audit/audit.rules</tt> file.\n<pre>-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change\n-a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>\nIf the system is 64 bit then also add the following lines:\n<pre>-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change\n-a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>", "rationale": "Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing\nthese events could serve as evidence of potential system compromise.", "severity": "medium", "references": {"nist": ["AU-2(d)", "AU-12(c)", "CM-6(a)"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit unsuccessful calls\nto the <code>fremovexattr</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"fremovexattr\" /etc/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the audit rule checks a\nsystem call independently of other system calls. Grouping system calls related\nto the same event is more efficient. See the following example:\n<pre>-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>"}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Record Unsuccessful Permission Changes to Files - fremovexattr", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr/rule.yml", "template": {"name": "audit_rules_unsuccessful_file_modification", "vars": {"name": "fremovexattr"}, "backends": {}}}