mediumauditverified ✓rollback-safe
Audit file permission modification syscalls
audit-chmod-changes · RHEL ≥ 8 · 1 impl
Description
The chmod, fchmod, and fchmodat system calls must be audited. These syscalls change file permissions and can be used to weaken security.
Rationale
Auditing permission changes allows detection of unauthorized attempts to modify file access controls and potential privilege escalation.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
- persist_file:
- /etc/audit/rules.d/50-perm_mod.rules
Framework references
STIG
V-230456
NIST 800-53
AU-2AU-12CM-6
Live verification
rhel8:check
#audit#auditd#permissions#chmod