Configure auditing of successful file creations

Description

Ensure that successful attempts to create a file are audited. The following rules configure audit as described above:

## Successful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create

Load new Audit rules into kernel by running:

augenrules --load

Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.

Rationale

Auditing of successful attempts to create a file helps in investigation of actions which happened on the system.

ID: xccdf_org.ssgproject.content_rule_audit_create_success
Severity: Medium
References: AU-2(a)

FAU_GEN.1.1.c

SRG-OS-000458-GPOS-00203 SRG-OS-000461-GPOS-00205 SRG-OS-000463-GPOS-00207 SRG-OS-000465-GPOS-00209 SRG-OS-000474-GPOS-00219 SRG-OS-000475-GPOS-00220
Updated: about 1 year ago