- 필수 기능
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- 디지털 경험
- 소프트웨어 제공
- 보안
- 로그 관리
- 관리
- 인프라스트럭처
- ci
- containers
- csm
- ndm
- otel_guides
- overview
- slos
- synthetics
- tests
- 워크플로
At a minimum, the audit system should collect file permission changes for all users and root.
If the auditd
daemon is configured
to use the augenrules
program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
The following script can be run on the host to remediate the issue.
#!/bin/bash
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S fremovexattr.*"
GROUP="perm_mod"
FULL_RULE="-a always,exit -F arch=$ARCH -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
<ns10:sub idref="xccdf_org.ssgproject.content_value_function_fix_audit_syscall_rule" use="legacy"/>
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
The following playbook can be run with Ansible to remediate the issue.
#
# What architecture are we on?
#
- name: Set architecture for audit fremovexattr tasks
set_fact:
audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
#
# Inserts/replaces the rule in /etc/audit/rules.d
#
- name: Search /etc/audit/rules.d for other DAC audit rules
find:
paths: "/etc/audit/rules.d"
recurse: no
contains: "-F key=perm_mod$"
patterns: "*.rules"
register: find_fremovexattr
- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule
set_fact:
all_files:
- /etc/audit/rules.d/privileged.rules
when: find_fremovexattr.matched == 0
- name: Use matched file as the recipient for the rule
set_fact:
all_files:
- "{{ find_fremovexattr.files | map(attribute='path') | list | first }}"
when: find_fremovexattr.matched > 0
- name: Inserts/replaces the fremovexattr rule in rules.d when on x86
lineinfile:
path: "{{ all_files[0] }}"
line: "-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
create: yes
tags:
- audit_rules_dac_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- NIST-800-53-AC-17(7)
- NIST-800-53-AU-1(b)
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-2(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(a)
- NIST-800-53-AU-12(c)
- NIST-800-53-IR-5
- NIST-800-171-3.1.7
- PCI-DSS-Req-10.5.5
- CJIS-5.4.1.1
- DISA-STIG-RHEL-07-030480
- name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64
lineinfile:
path: "{{ all_files[0] }}"
line: "-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
create: yes
when: audit_arch == 'b64'
tags:
- audit_rules_dac_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- NIST-800-53-AC-17(7)
- NIST-800-53-AU-1(b)
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-2(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(a)
- NIST-800-53-AU-12(c)
- NIST-800-53-IR-5
- NIST-800-171-3.1.7
- PCI-DSS-Req-10.5.5
- CJIS-5.4.1.1
- DISA-STIG-RHEL-07-030480
#
# Inserts/replaces the rule in /etc/audit/audit.rules
#
- name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86
lineinfile:
line: "{{ item }}"
state: present
dest: /etc/audit/audit.rules
with_items:
- "-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
tags:
- audit_rules_dac_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- NIST-800-53-AC-17(7)
- NIST-800-53-AU-1(b)
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-2(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(a)
- NIST-800-53-AU-12(c)
- NIST-800-53-IR-5
- NIST-800-171-3.1.7
- PCI-DSS-Req-10.5.5
- CJIS-5.4.1.1
- DISA-STIG-RHEL-07-030480
- name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64
lineinfile:
line: "{{ item }}"
state: present
dest: /etc/audit/audit.rules
create: yes
with_items:
- "-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod"
when: audit_arch == 'b64'
tags:
- audit_rules_dac_modification_fremovexattr
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- NIST-800-53-AC-17(7)
- NIST-800-53-AU-1(b)
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-2(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-12(a)
- NIST-800-53-AU-12(c)
- NIST-800-53-IR-5
- NIST-800-171-3.1.7
- PCI-DSS-Req-10.5.5
- CJIS-5.4.1.1
- DISA-STIG-RHEL-07-030480
Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.