Profile Applicability:
• Level 2
Description:
Discretionary Access Control (DAC) permission modifications involve changes to file or directory permissions that control user and group access. Collecting audit logs of these changes helps detect unauthorized or malicious permission alterations.
Rationale:
Monitoring permission changes supports security by ensuring that access controls remain intact and unauthorized modifications are quickly identified.
Impact:
Pros:
Provides visibility into changes affecting file and directory permissions.
Helps prevent privilege escalation and unauthorized data access.
Cons:
May produce a large volume of audit logs; requires effective log management.
Default Value:
Audit rules for permission modifications may not be enabled by default.
Pre-requisites:
Root or sudo privileges to configure audit rules.
Remediation:
Test Plan:
Using Linux command line:
Check existing audit rules for DAC permission changes:
auditctl -l | grep chmod
Verify audit rules exist for system calls like chmod, fchmod, fchmodat.
Implementation Plan:
Using Linux command line:
Add audit rules to log DAC permission modifications:
auditctl -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k perm_mod auditctl -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod
Persist these rules by adding them to /etc/audit/rules.d/audit.rules.
Backout Plan:
Using Linux command line:
Remove or disable permission modification audit rules if necessary:
auditctl -d always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k perm_mod auditctl -d always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod
Reload audit daemon configuration.
References:
CIS Amazon Linux 2 Benchmark v3.0.0