mediumauditverified ✓rollback-safe
Ensure discretionary access control permission modification events are collected
audit-perm-mod · RHEL ≥ 8 · 1 impl
Description
Discretionary access control permission changes must be collected.
Rationale
Without auditing these events, malicious activity could go undetected, compromising forensic capabilities.
Check → Remediate
Checkcommand
auditctl -l 2>/dev/null | grep -E '(-k|key=)perm_mod([[:space:]]|$)' | grep -q -- '-S [a-z0-9,]*chmod'
- expected_exit:
- 0
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
- persist_file:
- /etc/audit/rules.d/50-perm_mod.rules
Framework references
CIS
rhel8 6.3.3.9rhel9 6.3.3.9
STIG
V-281163 / RHEL-10-500780V-258177 / RHEL-09-654015
NIST 800-53
AU-2AU-12AC-3
Live verification
rhel8:checkrhel9:check
#audit#auditd