mediumauditverified ✓rollback-safe
Audit extended attribute changes
audit-xattr-changes · RHEL ≥ 8 · 1 impl
Description
The system must audit all uses of extended attribute modification system calls to track security-relevant attribute changes.
Rationale
Extended attributes include SELinux contexts and other security metadata. Auditing their modification helps detect attempts to bypass security controls.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
- persist_file:
- /etc/audit/rules.d/50-xattr.rules
Framework references
CIS
rhel8 6.3.3.9rhel10 6.3.3.20rhel9 6.3.3.9
STIG
V-281117 / RHEL-10-500310V-258179 / RHEL-09-654025V-230413
NIST 800-53
AU-2AU-12
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#xattr#selinux#stig