{"description": "Ensure that successful attempts to modify permissions of files or directories are audited.\n\nThe following rules configure audit as described above:\n<pre>## Successful permission change\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change    </pre>\n\nLoad new Audit rules into kernel by running:\n<pre>augenrules --load</pre>\n\nNote: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are aligned with your needs.", "rationale": "Auditing successful file or directory permission changes helps in monitoring and investigating of activities performed on the system.", "severity": "medium", "references": {"nist": ["AU-2(a)"], "ospp": ["FAU_GEN.1.1.c"], "srg": ["SRG-OS-000462-GPOS-00206", "SRG-OS-000463-GPOS-00207", "SRG-OS-000465-GPOS-00209", "SRG-OS-000474-GPOS-00219", "SRG-OS-000475-GPOS-00220", "SRG-OS-000466-GPOS-00210", "SRG-OS-000064-GPOS-00033"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the file does not exist or the content differs", "ocil": "To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:\n<pre>cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules</pre>\nThe output has to be exactly as follows:\n<pre>## Successful permission change\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change    </pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": ["ppc64le_arch"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["ppc64le_arch"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure auditing of successful permission changes (ppc64le)", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml", "template": {"name": "audit_file_contents", "vars": {"filepath": "/etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules", "contents": "## Successful permission change\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change"}, "backends": {}}}