Record Successful Creation Attempts to Files - open_by_handle_at O_TRUNC_WRITE
An XCCDF Rule
Description
The audit system should collect detailed file access records for
all users and root. The open_by_handle_at
syscall can be used to modify
files if called for write operation with the O_TRUNC_WRITE flag.
The following audit rules will assure that successful attempts to create a
file via open_by_handle_at
syscall are collected.
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules
in the directory
/etc/audit/rules.d
.
If the auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules
file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modificationIf the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
warning alert: Warning
-a always,exit -F arch=b32 -S open,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
Rationale
Successful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
- ID
- xccdf_org.ssgproject.content_rule_audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write
- Severity
- Medium
- References
- Updated