Skip to content
trimstray edited this page Feb 28, 2019 · 4 revisions

You can file an issue about it and ask that it be added.


Table of Contents

Auditd

The audit service provides substantial capabilities for recording system activities.

By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as system logins, account modifications, and authentication events performed by programs such as sudo.

Enable auditing for processes which start prior to the audit daemon

Rationale

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

Solution

Set the value
# Add to /etc/default/grub:
GRUB_CMDLINE_LINUX="... audit=1"

# Updated grub configuration:
grub2-mkconfig -o

C2S/CIS: CCE-27212-0 (Medium)

Comments

Useful resources

Enable auditd service

Rationale

Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Solution

Set the value
systemctl enable auditd.service

C2S/CIS: CCE-27407-6 (High)

Comments

Useful resources

Max log file size

Rationale

The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.

Solution

Set the value
# Edit /etc/audit/auditd.conf:
max_log_file = STOREMB

C2S/CIS: CCE-27319-3 (Medium)

Comments

Useful resources

Notification on low disk space

Rationale

Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.

Solution

Set the value
# Edit /etc/audit/auditd.conf:
action_mail_acct = root

C2S/CIS: CCE-27394-6 (Medium)

Comments

Useful resources

Action on low disk space

Rationale

Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.

Solution

Set the value
# Edit /etc/audit/auditd.conf:
admin_space_left_action = ACTION

C2S/CIS: CCE-27370-6 (Medium)

Comments

Useful resources

Action upon reaching maximum log size

Rationale

Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data.

However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed.

Solution

Set the value
# Edit /etc/audit/auditd.conf:
max_log_file_action = ACTION

C2S/CIS: CCE-27231-0 (Medium)

Comments

Useful resources

Collects information on kernel module loading and unloading

Rationale

The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

Solution

Set the value
# Add to /etc/audit/rules.d/extended.rules
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules

-a always,exit -F arch=ARCH -S init_module,finit_module,create_module,delete_module -F key=modules

C2S/CIS: CCE-27129-6 (Medium)

Comments

Useful resources

Record attempts to alter logon and logout events

Rationale

Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

Solution

Set the value
# Add to /etc/audit/rules.d/extended.rules
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /var/log/lastlog -p wa -k logins

C2S/CIS: CCE-27204-7 (Medium)

Comments

Useful resources

Record attempts to alter time through stime

Rationale

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Solution

Set the value
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules

C2S/CIS: CCE-27299-7 (Medium)

Comments

Useful resources

Record attempts to alter time through settimeofday

Rationale

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Solution

Set the value
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules

C2S/CIS: CCE-27216-1 (Medium)

Comments

Useful resources

Record attempts to alter the localtime file

Rationale

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Solution

Set the value
# Add to /etc/audit/rules.d/extended.rules
-w /etc/localtime -p wa -k audit_time_rules

C2S/CIS: CCE-27310-2 (Medium)

Comments

Useful resources

Record attempts to alter time through clock_settime

Rationale

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Solution

Set the value
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change

C2S/CIS: CCE-27219-5 (Medium)

Comments

Useful resources

Record attempts to alter time through adjtimex

Rationale

Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

Solution

Set the value
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules

C2S/CIS: CCE-27290-6 (Medium)

Comments

Useful resources

Record events that modify the system's discretionary access controls

Rationale

The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.

Solution

fchown
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

C2S/CIS: CCE-27356-5 (Medium)

setxattr
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

C2S/CIS: CCE-27213-8 (Medium)

chown
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

C2S/CIS: CCE-27364-9 (Medium)

removexattr
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

C2S/CIS: CCE-27367-2 (Medium)

fchownat
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

C2S/CIS: CCE-27387-0 (Medium)

chmod
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

C2S/CIS: CCE-27339-1 (Medium)

fsetxattr
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

C2S/CIS: CCE-27389-6 (Medium)

fchmod
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

C2S/CIS: CCE-27393-8 (Medium)

lsetxattr
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

C2S/CIS: CCE-27280-7 (Medium)

fremovexattr
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

C2S/CIS: CCE-27353-2 (Medium)

lchown
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

C2S/CIS: CCE-27083-5 (Medium)

fchmodat
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

C2S/CIS: CCE-27388-8 (Medium)

lremovexattr
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

C2S/CIS: CCE-27410-0 (Medium)

Comments

Useful resources

Ensure auditd collects file deletion events by user

Rationale

Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.

Solution

unlinkat
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

C2S/CIS: CCE-80662-0 (Medium)

rename
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete

C2S/CIS: CCE-27206-2 (Medium)

renameat
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete

C2S/CIS: CCE-80413-8 (Medium)

unlink
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete

C2S/CIS: CCE-27206-2 (Medium)

Comments

Useful resources

Record information on the use of privileged commands

Rationale

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

Solution

unlinkat
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

C2S/CIS: CCE-27437-3 (Medium)

Comments

To find the relevant setuid and setgid programs:

find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null

Useful resources

Record unauthorized access attempts to files

Rationale

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Solution

truncate
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

C2S/CIS: CCE-80389-0 (Medium)

creat
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

C2S/CIS: CCE-80385-8 (Medium)

open
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

C2S/CIS: CCE-80386-6 (Medium)

open_by_handle_at
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

C2S/CIS: CCE-80388-2 (Medium)

ftruncate
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

C2S/CIS: CCE-80390-8 (Medium)

openat
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

C2S/CIS: CCE-80387-4 (Medium)

Comments

Useful resources

Ensure auditd collects system administrator actions

Rationale

The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.

Solution

Set the value
# Add to /etc/audit/rules.d/extended.rules
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions

C2S/CIS: CCE-27461-3 (Medium)

Comments

Useful resources

Record events that modify the system's network environment

Rationale

The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.

Solution

Set the value
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification

C2S/CIS: CCE-27076-9 (Medium)

Comments

Useful resources

Record attempts to alter process and session initiation information

Rationale

Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

Solution

Set the value
# Add to /etc/audit/rules.d/extended.rules
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session

C2S/CIS: CCE-27301-1 (Medium)

Comments

Useful resources

Make the auditd configuration immutable

Rationale

Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation.

Solution

Set the value
# Add to /etc/audit/rules.d/extended.rules
-e 2

C2S/CIS: CCE-27097-5 (Medium)

Comments

Useful resources

Record events that modify user/group information

Rationale

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Solution

/etc/shadow
# Add to /etc/audit/rules.d/extended.rules
-w /etc/shadow -p wa -k audit_rules_usergroup_modification

C2S/CIS: CCE-80431-0 (Medium)

/etc/security/opasswd
# Add to /etc/audit/rules.d/extended.rules
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

C2S/CIS: CCE-80430-2 (Medium)

/etc/gshadow
# Add to /etc/audit/rules.d/extended.rules
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

C2S/CIS: CCE-80432-8 (Medium)

/etc/passwd
# Add to /etc/audit/rules.d/extended.rules
-w /etc/passwd -p wa -k audit_rules_usergroup_modification

C2S/CIS: CCE-80435-1 (Medium)

/etc/group
# Add to /etc/audit/rules.d/extended.rules
-w /etc/group -p wa -k audit_rules_usergroup_modification

C2S/CIS: CCE-80433-6 (Medium)

Comments

Useful resources

Ensure auditd collects information on exporting to media

Rationale

The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.

Solution

Set the value
# Add to /etc/audit/rules.d/extended.rules
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export

C2S/CIS: CCE-27447-2 (Medium)

Comments

Useful resources

Record events that modify the system's mandatory access controls

Rationale

The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.

Solution

Set the value
# Add to /etc/audit/rules.d/extended.rules
-w /etc/selinux/ -p wa -k MAC-policy

C2S/CIS: CCE-27168-4 (Medium)

Comments

Useful resources

You can’t perform that action at this time.