Configure auditing of successful file accesses

An XCCDF Rule

Description

Ensure that successful attempts to access a file are audited. The following rules configure audit as described above:

## Successful file access (any other opens) This has to go last.
## These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access

Load new Audit rules into kernel by running:

augenrules --load

Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.

Rationale

Auditing of successful attempts to access a file helps in investigation of activities performed on the system.

ID: xccdf_org.ssgproject.content_rule_audit_access_success
Severity: Medium
References: 0582 0584 0586 05885 0846 0957

AU-2(a)

FAU_GEN.1.1.c

SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220
Updated: about 1 year ago

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,%23%23%20Successful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A%23%23%20These%20next%20two%20are%20likely%20to%20result%20in%20a%20whole%20lot%20of%20events%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
        overwrite: true

Configure auditing of successful file accesses

Description

Rationale

Remediation - Kubernetes Patch