Record Successful Creation Attempts to Files - open_by_handle_at O_TRUNC_WRITE

Description

The audit system should collect detailed file access records for all users and root. The open_by_handle_at syscall can be used to modify files if called for write operation with the O_TRUNC_WRITE flag. The following audit rules will assure that successful attempts to create a file via open_by_handle_at syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file.

-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification

If the system is 64 bit then also add the following lines:

-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification

warning alert: Warning

Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:

-a always,exit -F arch=b32 -S open,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification

Rationale

Successful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

ID: xccdf_org.ssgproject.content_rule_audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write
Severity: Medium
Updated: over 1 year ago