Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE
An XCCDF Rule
Description
The audit system should collect detailed unauthorized file accesses for
all users and root. The open_by_handle_at
syscall can be used to modify files
if called for write operation of with O_TRUNC_WRITE flag.
The following auidt rules will asure that unsuccessful attempts to modify a
file via open_by_handle_at
syscall are collected.
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules
in the directory
/etc/audit/rules.d
.
If the auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules
file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modificationIf the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
warning alert: Warning
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
- ID
- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q audit && rpm --quiet -q kernel; then
mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')"
cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules"
## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance.
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80966-5
- NIST-800-171-3.1.7