Record Successful Creation Attempts to Files - open O_CREAT
An XCCDF Rule
Description
The open
syscall can be used to create new files
when O_CREAT flag is specified.
The following audit rules will assure that successful attempts to create a
file via open
syscall are collected.
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules
in the directory
/etc/audit/rules.d
.
If the auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules
file.
-a always,exit -F arch=b32 -S open -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-createIf the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
warning alert: Warning
-a always,exit -F arch=b32 -S open,open -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
Rationale
Successful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
- ID
- xccdf_org.ssgproject.content_rule_audit_rules_successful_file_modification_open_o_creat
- Severity
- Medium
- Updated