← Rules Catalog
mediumauditverified rollback-safe

Audit file permission modification syscalls

audit-chmod-changes · RHEL ≥ 8 · 1 impl

Description

The chmod, fchmod, and fchmodat system calls must be audited. These syscalls change file permissions and can be used to weaken security.

Rationale

Auditing permission changes allows detection of unauthorized attempts to modify file access controls and potential privilege escalation.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
Remediateaudit_rule_set
rule:
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
persist_file:
/etc/audit/rules.d/50-perm_mod.rules

Framework references

STIG

V-230456

NIST 800-53

AU-2AU-12CM-6

Live verification

rhel8:check
#audit#auditd#permissions#chmod