4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM

Information

Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier 'access.'

Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.

Rationale:

Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.

Solution

For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/50-access.rules
Add the following lines:

-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access

For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/50-access.rules
Add the following lines:

-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access

Additional Information:

Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:

# awk '/^s*UID_MIN/{print $2}' /etc/login.defs

If your systems' UID_MIN is not 1000, replace audit>=1000 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures.

See Also

https://workbench.cisecurity.org/files/3219

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, CSCv7|14.9

Plugin: Unix

Control ID: 8ae02d972ff50190ada6ad06be5b511b6f3520c2702ef94f7638a5f86d8134d7