diff --git a/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd b/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd index 66e9338..6401c07 100644 --- a/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd +++ b/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd @@ -352,7 +352,7 @@ Configure network interfaces to turn off promiscuous mode unless approved by the #ip link set dev multicast off promisc off ``` -## 8.1.1.4 Set failure mode of audit service (scored) +## 2.1.4 Set failure mode of audit service (scored) ### Profile Applicability Level 4 @@ -733,6 +733,7 @@ Verify the operating system generates audit records when successful/unsuccessful ``` If the command does not return any output, this is a finding. +### Remediation Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": ``` -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam @@ -759,6 +760,7 @@ Verify the operating system generates audit records when successful/unsuccessful ``` If the command does not return any output, this is a finding. +### Remediation Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_tally/pam_tally2" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": ``` -a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam @@ -766,6 +768,54 @@ Fixtext: Configure the operating system to generate audit records when successfu ``` The audit daemon must be restarted for the changes to take effect. +## 8.1.27 Record Events That Modify configuration files (scored) + +### Profile Applicability +Level 4 + +### Description +Record events affecting the auditd, grub, fstab, pam, systectl configuration files. th + +### Rationale +Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. + +### Aduit +Verify the operating system generates audit records that modify configuration. Check the auditing rules in "/etc/audit/audit.rules" with the following command: +``` +# grep "config_file_change" /etc/audit/audit.rules +-w /etc/audisp/audisp-remote.conf -p wa -k config_file_change +-w /etc/audit/auditd.conf -p wa -k config_file_change +-w /etc/audit/rules.d/ -p wa -k config_file_change +-w /etc/default/grub -p wa -k config_file_change +-w /etc/fstab -p wa -k config_file_change +-w /etc/hosts.deny -p wa -k config_file_change +-w /etc/login.defs -p wa -k config_file_change +-w /etc/pam.d/ -p wa -k config_file_change +-w /etc/profile -p wa -k config_file_change +-w /etc/profile.d/ -p wa -k config_file_change +-w /etc/security/ -p wa -k config_file_change +-w /etc/sysctl.conf -p wa -k config_file_change +``` +If the command does not return any output, this is a finding. + +### Remediation +Fixtext: Configure the operating system to generate audit records that modify configuration files. Add or update the following rule in "/etc/audit/rules.d/audit.rules": +``` +-w /etc/audisp/audisp-remote.conf -p wa -k config_file_change +-w /etc/audit/auditd.conf -p wa -k config_file_change +-w /etc/audit/rules.d/ -p wa -k config_file_change +-w /etc/default/grub -p wa -k config_file_change +-w /etc/fstab -p wa -k config_file_change +-w /etc/hosts.deny -p wa -k config_file_change +-w /etc/login.defs -p wa -k config_file_change +-w /etc/pam.d/ -p wa -k config_file_change +-w /etc/profile -p wa -k config_file_change +-w /etc/profile.d/ -p wa -k config_file_change +-w /etc/security/ -p wa -k config_file_change +-w /etc/sysctl.conf -p wa -k config_file_change +``` +The audit daemon must be restarted for the changes to take effect. + ## 8.5 Verifies integrity all packages (scored) ### Profile Applicability