← Rules Catalog
mediumauditverified rollback-safe

Ensure discretionary access control permission modification events are collected

audit-perm-mod · RHEL ≥ 8 · 1 impl

Description

Discretionary access control permission changes must be collected.

Rationale

Without auditing these events, malicious activity could go undetected, compromising forensic capabilities.

Check → Remediate

Checkcommand
auditctl -l 2>/dev/null | grep -E '(-k|key=)perm_mod([[:space:]]|$)' | grep -q -- '-S [a-z0-9,]*chmod'
expected_exit:
0
Remediateaudit_rule_set
rule:
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
persist_file:
/etc/audit/rules.d/50-perm_mod.rules

Framework references

CIS

rhel8 6.3.3.9rhel9 6.3.3.9

STIG

V-281163 / RHEL-10-500780V-258177 / RHEL-09-654015

NIST 800-53

AU-2AU-12AC-3

Live verification

rhel8:checkrhel9:check
#audit#auditd