← Rules Catalog
mediumauditverified rollback-safe

Audit extended attribute changes

audit-xattr-changes · RHEL ≥ 8 · 1 impl

Description

The system must audit all uses of extended attribute modification system calls to track security-relevant attribute changes.

Rationale

Extended attributes include SELinux contexts and other security metadata. Auditing their modification helps detect attempts to bypass security controls.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
Remediateaudit_rule_set
rule:
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
persist_file:
/etc/audit/rules.d/50-xattr.rules

Framework references

CIS

rhel8 6.3.3.9rhel10 6.3.3.20rhel9 6.3.3.9

STIG

V-281117 / RHEL-10-500310V-258179 / RHEL-09-654025V-230413

NIST 800-53

AU-2AU-12

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#xattr#selinux#stig