Blame SOURCES/scap-security-guide-0.1.41-audit_file_permission.patch

28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chmod.rule
28bffe
new file mode 100644
28bffe
index 0000000000..fc5d1c0b92
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chmod.rule
28bffe
@@ -0,0 +1,38 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Unsuccessul Permission Changes to Files - chmod'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect unsuccessful file permission change
28bffe
+    attempts for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file.
28bffe
+    
-a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    If the system is 64 bit then also add the following lines:
28bffe
+    
-a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+
28bffe
+
28bffe
+rationale: |-
28bffe
+    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
28bffe
+    these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="chmod") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the audit rule checks a
28bffe
+        system call independently of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmod.rule
28bffe
new file mode 100644
28bffe
index 0000000000..0b86c9b6b9
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmod.rule
28bffe
@@ -0,0 +1,38 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Unsuccessul Permission Changes to Files - fchmod'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect unsuccessful file permission change
28bffe
+    attempts for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file.
28bffe
+    
-a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    If the system is 64 bit then also add the following lines:
28bffe
+    
-a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+
28bffe
+
28bffe
+rationale: |-
28bffe
+    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
28bffe
+    these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="fchmod") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the audit rule checks a
28bffe
+        system call independently of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmodat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmodat.rule
28bffe
new file mode 100644
28bffe
index 0000000000..6b9a4796ca
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmodat.rule
28bffe
@@ -0,0 +1,38 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Unsuccessul Permission Changes to Files - fchmodat'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect unsuccessful file permission change
28bffe
+    attempts for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file.
28bffe
+    
-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    If the system is 64 bit then also add the following lines:
28bffe
+    
-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+
28bffe
+
28bffe
+rationale: |-
28bffe
+    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
28bffe
+    these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="fchmodat") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the audit rule checks a
28bffe
+        system call independently of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr.rule
28bffe
new file mode 100644
28bffe
index 0000000000..7a20898b00
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr.rule
28bffe
@@ -0,0 +1,38 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Unsuccessul Permission Changes to Files - fremovexattr'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect unsuccessful file permission change
28bffe
+    attempts for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file.
28bffe
+    
-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    If the system is 64 bit then also add the following lines:
28bffe
+    
-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+
28bffe
+
28bffe
+rationale: |-
28bffe
+    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
28bffe
+    these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="fremovexattr") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the audit rule checks a
28bffe
+        system call independently of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr.rule
28bffe
new file mode 100644
28bffe
index 0000000000..aa2d8fddf1
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr.rule
28bffe
@@ -0,0 +1,38 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Unsuccessul Permission Changes to Files - fsetxattr'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect unsuccessful file permission change
28bffe
+    attempts for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file.
28bffe
+    
-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    If the system is 64 bit then also add the following lines:
28bffe
+    
-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+
28bffe
+
28bffe
+rationale: |-
28bffe
+    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
28bffe
+    these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="fsetxattr") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the audit rule checks a
28bffe
+        system call independently of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr.rule
28bffe
new file mode 100644
28bffe
index 0000000000..ceac04e986
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr.rule
28bffe
@@ -0,0 +1,38 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Unsuccessul Permission Changes to Files - lremovexattr'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect unsuccessful file permission change
28bffe
+    attempts for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file.
28bffe
+    
-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    If the system is 64 bit then also add the following lines:
28bffe
+    
-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+
28bffe
+
28bffe
+rationale: |-
28bffe
+    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
28bffe
+    these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="lremovexattr") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the audit rule checks a
28bffe
+        system call independently of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr.rule
28bffe
new file mode 100644
28bffe
index 0000000000..6ff2f59d03
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr.rule
28bffe
@@ -0,0 +1,38 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Unsuccessul Permission Changes to Files - lsetxattr'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect unsuccessful file permission change
28bffe
+    attempts for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file.
28bffe
+    
-a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    If the system is 64 bit then also add the following lines:
28bffe
+    
-a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+
28bffe
+
28bffe
+rationale: |-
28bffe
+    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
28bffe
+    these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="lsetxattr") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the audit rule checks a
28bffe
+        system call independently of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_removexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_removexattr.rule
28bffe
new file mode 100644
28bffe
index 0000000000..b8946872d7
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_removexattr.rule
28bffe
@@ -0,0 +1,38 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Unsuccessul Permission Changes to Files - removexattr'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect unsuccessful file permission change
28bffe
+    attempts for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file.
28bffe
+    
-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    If the system is 64 bit then also add the following lines:
28bffe
+    
-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+
28bffe
+
28bffe
+rationale: |-
28bffe
+    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
28bffe
+    these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="removexattr") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the audit rule checks a
28bffe
+        system call independently of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_setxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_setxattr.rule
28bffe
new file mode 100644
28bffe
index 0000000000..a14cc93628
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_setxattr.rule
28bffe
@@ -0,0 +1,38 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Record Unsuccessul Permission Changes to Files - setxattr'
28bffe
+
28bffe
+description: |-
28bffe
+    The audit system should collect unsuccessful file permission change
28bffe
+    attempts for all users and root.
28bffe
+    If the <tt>auditd</tt> daemon is configured
28bffe
+    to use the <tt>augenrules</tt> program to read audit rules during daemon
28bffe
+    startup (the default), add the following lines to a file with suffix
28bffe
+    <tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
28bffe
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
28bffe
+    utility to read audit rules during daemon startup, add the following lines to
28bffe
+    <tt>/etc/audit/audit.rules</tt> file.
28bffe
+    
-a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    If the system is 64 bit then also add the following lines:
28bffe
+    
-a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+    -a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
+
28bffe
+
28bffe
+rationale: |-
28bffe
+    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
28bffe
+    these events could serve as evidence of potential system compromise.
28bffe
+
28bffe
+severity: medium
28bffe
+
28bffe
+{{{ complete_ocil_entry_audit_syscall(syscall="setxattr") }}}
28bffe
+
28bffe
+warnings:
28bffe
+    - general: |-
28bffe
+        Note that these rules can be configured in a
28bffe
+        number of ways while still achieving the desired effect. Here the audit rule checks a
28bffe
+        system call independently of other system calls. Grouping system calls related
28bffe
+        to the same event is more efficient. See the following example:
28bffe
+        
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
28bffe
diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile
28bffe
index 42c1e98e39..9802576814 100644
28bffe
--- a/rhel7/profiles/ospp42-draft.profile
28bffe
+++ b/rhel7/profiles/ospp42-draft.profile
28bffe
@@ -108,6 +108,15 @@ selections:
28bffe
     - audit_rules_dac_modification_lsetxattr
28bffe
     - audit_rules_dac_modification_removexattr
28bffe
     - audit_rules_dac_modification_setxattr
28bffe
+    - audit_rules_unsuccessful_file_modification_chmod
28bffe
+    - audit_rules_unsuccessful_file_modification_fchmodat
28bffe
+    - audit_rules_unsuccessful_file_modification_fchmod
28bffe
+    - audit_rules_unsuccessful_file_modification_fremovexattr
28bffe
+    - audit_rules_unsuccessful_file_modification_fsetxattr
28bffe
+    - audit_rules_unsuccessful_file_modification_lremovexattr
28bffe
+    - audit_rules_unsuccessful_file_modification_lsetxattr
28bffe
+    - audit_rules_unsuccessful_file_modification_removexattr
28bffe
+    - audit_rules_unsuccessful_file_modification_setxattr
28bffe
     - audit_rules_execution_chcon
28bffe
     - audit_rules_execution_restorecon
28bffe
     - audit_rules_execution_semanage
28bffe
diff --git a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv
28bffe
index 61b81a2ae0..5cc029eb92 100644
28bffe
--- a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv
28bffe
+++ b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv
28bffe
@@ -1,14 +1,23 @@
28bffe
 creat
28bffe
+chmod
28bffe
 chown
28bffe
+fchmod
28bffe
+fchmodat
28bffe
 fchown
28bffe
 fchownat
28bffe
+fremovexattr
28bffe
+fsetxattr
28bffe
 ftruncate
28bffe
 lchown
28bffe
+lremovexattr
28bffe
+lsetxattr
28bffe
 open
28bffe
 openat
28bffe
 open_by_handle_at
28bffe
+removexattr
28bffe
 rename
28bffe
 renameat
28bffe
+setxattr
28bffe
 truncate
28bffe
 unlink
28bffe
 unlinkat