mediumauditverified ✓rollback-safe
Audit unsuccessful permission change attempts
audit-unsuccessful-perm · RHEL ≥ 8 · 1 impl
Description
The system must audit unsuccessful attempts to change file permissions to detect potential unauthorized modification attempts.
Rationale
Failed permission change attempts may indicate an attacker attempting to modify system files or escalate privileges. Auditing these events aids in intrusion detection.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F exit=-EACCES -k perm_chng
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F exit=-EACCES -k perm_chng
- persist_file:
- /etc/audit/rules.d/50-perm-chng.rules
Framework references
CIS
rhel8 6.3.3.9rhel9 6.3.3.9
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#permissions#failed#intrusion-detection#stig