Detections
Analytics
RHEL-06-000197 - The audit system must be configured to audit failed attempts to access files and programs - EPERM
Information
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.Solution
At a minimum, the audit system should collect unauthorized file accesses for all users and root. Add the following to '/etc/audit/audit.rules':-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate
-S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate
-S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate
-S ftruncate -F exit=-EACCES -F auid=0 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate
-S ftruncate -F exit=-EPERM -F auid=0 -k access
If the system is 64-bit, then also add the following:
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate
-S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate
-S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate
-S ftruncate -F exit=-EACCES -F auid=0 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate
-S ftruncate -F exit=-EPERM -F auid=0 -k access
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_6_V2R2_STIG.zip
Item Details
Audit Name: DISA Red Hat Enterprise Linux 6 STIG v2r2
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-12c., CAT|III, CCI|CCI-000172, Rule-ID|SV-217975r603264_rule, STIG-ID|RHEL-06-000197, STIG-Legacy|SV-50367, STIG-Legacy|V-38566, Vuln-ID|V-217975
Plugin: Unix
Control ID: 1ff80b6047dca59880ec390c58a01a1c73bfacea8f342327ae8e80d9b2686165