Add description to benchmark doc for 8.1.27

docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd

@@ -352,7 +352,7 @@ Configure network interfaces to turn off promiscuous mode unless approved by the
 #ip link set dev <devicename> multicast off promisc off
 ```
 
-## 8.1.1.4 Set failure mode of audit service (scored) 
+## 2.1.4 Set failure mode of audit service (scored) 
 
 ### Profile Applicability
 Level 4
@@ -733,6 +733,7 @@ Verify the operating system generates audit records when successful/unsuccessful
 ```
 If the command does not return any output, this is a finding.
 
+### Remediation 
 Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
 ```
 -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam
@@ -759,6 +760,7 @@ Verify the operating system generates audit records when successful/unsuccessful
 ```
 If the command does not return any output, this is a finding.
 
+### Remediation 
 Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_tally/pam_tally2" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
 ```
 -a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295  -k privileged-pam
@@ -766,6 +768,54 @@ Fixtext: Configure the operating system to generate audit records when successfu
 ```
 The audit daemon must be restarted for the changes to take effect.
 
+## 8.1.27 Record Events That Modify configuration files (scored)
+
+### Profile Applicability
+Level 4
+
+### Description
+Record events affecting the auditd, grub, fstab, pam, systectl configuration files. th
+
+### Rationale
+Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.
+
+### Aduit
+Verify the operating system generates audit records that modify configuration. Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+```
+# grep "config_file_change" /etc/audit/audit.rules
+-w /etc/audisp/audisp-remote.conf -p wa -k config_file_change
+-w /etc/audit/auditd.conf -p wa -k config_file_change
+-w /etc/audit/rules.d/ -p wa -k config_file_change
+-w /etc/default/grub -p wa -k config_file_change
+-w /etc/fstab -p wa -k config_file_change
+-w /etc/hosts.deny -p wa -k config_file_change
+-w /etc/login.defs -p wa -k config_file_change
+-w /etc/pam.d/ -p wa -k config_file_change
+-w /etc/profile -p wa -k config_file_change
+-w /etc/profile.d/ -p wa -k config_file_change
+-w /etc/security/ -p wa -k config_file_change
+-w /etc/sysctl.conf -p wa -k config_file_change
+```
+If the command does not return any output, this is a finding.
+
+### Remediation 
+Fixtext: Configure the operating system to generate audit records that modify configuration files. Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
+```
+-w /etc/audisp/audisp-remote.conf -p wa -k config_file_change
+-w /etc/audit/auditd.conf -p wa -k config_file_change
+-w /etc/audit/rules.d/ -p wa -k config_file_change
+-w /etc/default/grub -p wa -k config_file_change
+-w /etc/fstab -p wa -k config_file_change
+-w /etc/hosts.deny -p wa -k config_file_change
+-w /etc/login.defs -p wa -k config_file_change
+-w /etc/pam.d/ -p wa -k config_file_change
+-w /etc/profile -p wa -k config_file_change
+-w /etc/profile.d/ -p wa -k config_file_change
+-w /etc/security/ -p wa -k config_file_change
+-w /etc/sysctl.conf -p wa -k config_file_change
+```
+The audit daemon must be restarted for the changes to take effect.
+
 ## 8.5 Verifies integrity all packages (scored) 
 
 ### Profile Applicability