← Rules Catalog
mediumauditverified rollback-safe

Audit file ownership changes

audit-chown-changes · RHEL ≥ 8 · 1 impl

Description

The system must audit all uses of the chown, fchown, fchownat, and lchown system calls to track ownership changes.

Rationale

Unauthorized ownership changes could allow attackers to take control of system files. Auditing ownership changes provides accountability and helps detect unauthorized modifications.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
Remediateaudit_rule_set
rule:
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
persist_file:
/etc/audit/rules.d/50-perm-mod.rules

Framework references

CIS

rhel8 6.3.3.20rhel10 6.3.3.19

STIG

V-281164 / RHEL-10-500790V-258178 / RHEL-09-654020V-230455

NIST 800-53

AU-2AU-12

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#ownership#chown#stig