← Rules Catalog
mediumauditverified rollback-safe

Audit unsuccessful permission change attempts

audit-unsuccessful-perm · RHEL ≥ 8 · 1 impl

Description

The system must audit unsuccessful attempts to change file permissions to detect potential unauthorized modification attempts.

Rationale

Failed permission change attempts may indicate an attacker attempting to modify system files or escalate privileges. Auditing these events aids in intrusion detection.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F exit=-EACCES -k perm_chng
Remediateaudit_rule_set
rule:
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F exit=-EACCES -k perm_chng
persist_file:
/etc/audit/rules.d/50-perm-chng.rules

Framework references

CIS

rhel8 6.3.3.9rhel9 6.3.3.9

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#permissions#failed#intrusion-detection#stig