Detections
Analytics
4.1.12 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES 64 bit
Information
Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 500), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'Rationale:
Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.
Solution
For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rulesExample: vi /etc/audit/rules.d/audit.rules
and add the following lines:
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
Notes:
Reloading the auditd config to set active settings may require a system reboot.
This Benchmark recommendation maps to:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide:
Version 2, Release: 3 Benchmark Date: 26 Apr 2019
Vul ID: V-72123
Rule ID: SV-86747r4_rule
STIG ID: RHEL-07-030500
Severity: CAT II
Vul ID: V-72125
Rule ID: SV-86749r4_rule
STIG ID: RHEL-07-030510
Severity: CAT II
Vul ID: V-72127
Rule ID: SV-86751r4_rule
STIG ID: RHEL-07-030520
Severity: CAT II
Vul ID: V-72129
Rule ID: SV-86753r4_rule
STIG ID: RHEL-07-030530
Severity: CAT II
Vul ID: V-72131
Rule ID: SV-86755r4_rule
STIG ID: RHEL-07-030540
Severity: CAT II
Vul ID: V-72133
Rule ID: SV-86757r4_rule
STIG ID: RHEL-07-030550
Severity: CAT II
See Also
Item Details
Audit Name: CIS Amazon Linux 2 STIG v1.0.0 L2
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-3, CSCv7|14.9
Plugin: Unix
Control ID: 1e358a4437c0c2d4438865597952d52e575ac23d202490ced64c56b3eed2cca5