mediumauditverified ✓rollback-safe
Audit file ownership changes
audit-chown-changes · RHEL ≥ 8 · 1 impl
Description
The system must audit all uses of the chown, fchown, fchownat, and lchown system calls to track ownership changes.
Rationale
Unauthorized ownership changes could allow attackers to take control of system files. Auditing ownership changes provides accountability and helps detect unauthorized modifications.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
- persist_file:
- /etc/audit/rules.d/50-perm-mod.rules
Framework references
CIS
rhel8 6.3.3.20rhel10 6.3.3.19
STIG
V-281164 / RHEL-10-500790V-258178 / RHEL-09-654020V-230455
NIST 800-53
AU-2AU-12
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#ownership#chown#stig