Detections
Analytics
4.1.11 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM
Information
Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.Solution
For 32 bit systems add the following lines to the /etc/audit/audit.rules file:-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
For 64 bit systems add the following lines to the /etc/audit/audit.rules file:
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
See Also
Item Details
Audit Name: CIS Amazon Linux v2.1.0 L2
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-12c., CSCv6|14.6
Plugin: Unix
Control ID: 1b36f1239ed07b8c9e6a1d15a0b648a4497e4e9cb527088479fefd72be9f7c25