Record Events that Modify the System's Discretionary Access Controls - removexattr
Description
At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
Shell script
The following script can be run on the host to remediate the issue.
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG\_BIT)" = "32" ] && RULE\_ARCHS=("b32") || RULE\_ARCHS=("b32" "b64")
for ARCH in "${RULE\_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S removexattr.\*"
GROUP="perm\_mod"
FULL\_RULE="-a always,exit -F arch=$ARCH -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm\_mod"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix\_audit\_syscall\_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL\_RULE"
fix\_audit\_syscall\_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL\_RULE"
done
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
#
# What architecture are we on?
#
- name: Set architecture for audit removexattr tasks
set\_fact:
audit\_arch: "b{{ ansible\_architecture | regex\_replace('.\*(\\d\\d$)','\\1') }}"
#
# Inserts/replaces the rule in /etc/audit/rules.d
#
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: "/etc/audit/rules.d"
recurse: no
contains: "-F key=perm\_mod$"
patterns: "\*.rules"
register: find\_removexattr
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set\_fact:
all\_files:
- /etc/audit/rules.d/privileged.rules
when: find\_removexattr.matched == 0
- name: Use matched file as the recipient for the rule
set\_fact:
all\_files:
- "{{ find\_removexattr.files | map(attribute='path') | list | first }}"
when: find\_removexattr.matched > 0
- name: Inserts/replaces the removexattr rule in rules.d when on x86
lineinfile:
path: "{{ all\_files[0] }}"
line: "-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm\_mod"
create: yes
tags:
- audit\_rules\_dac\_modification\_removexattr
- medium\_severity
- restrict\_strategy
- low\_complexity
- low\_disruption
- NIST-800-53-AC-17(7)
- NIST-800-53-AU-1(b)
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-2(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(a)
- NIST-800-53-AU-12(c)
- NIST-800-53-IR-5
- NIST-800-171-3.1.7
- PCI-DSS-Req-10.5.5
- CJIS-5.4.1.1
- DISA-STIG-RHEL-07-030470
- name: Inserts/replaces the removexattr rule in rules.d when on x86\_64
lineinfile:
path: "{{ all\_files[0] }}"
line: "-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm\_mod"
create: yes
when: audit\_arch == 'b64'
tags:
- audit\_rules\_dac\_modification\_removexattr
- medium\_severity
- restrict\_strategy
- low\_complexity
- low\_disruption
- NIST-800-53-AC-17(7)
- NIST-800-53-AU-1(b)
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-2(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(a)
- NIST-800-53-AU-12(c)
- NIST-800-53-IR-5
- NIST-800-171-3.1.7
- PCI-DSS-Req-10.5.5
- CJIS-5.4.1.1
- DISA-STIG-RHEL-07-030470
#
# Inserts/replaces the rule in /etc/audit/audit.rules
#
- name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86
lineinfile:
line: "{{ item }}"
state: present
dest: /etc/audit/audit.rules
with\_items:
- "-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm\_mod"
tags:
- audit\_rules\_dac\_modification\_removexattr
- medium\_severity
- restrict\_strategy
- low\_complexity
- low\_disruption
- NIST-800-53-AC-17(7)
- NIST-800-53-AU-1(b)
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-2(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(a)
- NIST-800-53-AU-12(c)
- NIST-800-53-IR-5
- NIST-800-171-3.1.7
- PCI-DSS-Req-10.5.5
- CJIS-5.4.1.1
- DISA-STIG-RHEL-07-030470
- name: Inserts/replaces the removexattr rule in audit.rules when on x86\_64
lineinfile:
line: "{{ item }}"
state: present
dest: /etc/audit/audit.rules
create: yes
with\_items:
- "-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm\_mod"
when: audit\_arch == 'b64'
tags:
- audit\_rules\_dac\_modification\_removexattr
- medium\_severity
- restrict\_strategy
- low\_complexity
- low\_disruption
- NIST-800-53-AC-17(7)
- NIST-800-53-AU-1(b)
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-2(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(a)
- NIST-800-53-AU-12(c)
- NIST-800-53-IR-5
- NIST-800-171-3.1.7
- PCI-DSS-Req-10.5.5
- CJIS-5.4.1.1
- DISA-STIG-RHEL-07-030470
Warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
