Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE
An XCCDF Rule
Description
The audit system should collect detailed file access records for
all users and root. The openat
syscall can be used to modify
files if called for write operation with the O_TRUNC_WRITE flag.
The following audit rules will assure that successful attempts to create a
file via openat
syscall are collected.
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules
in the directory
/etc/audit/rules.d
.
If the auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules
file.
-a always,exit -F arch=b32 -S openat -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modificationIf the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
warning alert: Warning
-a always,exit -F arch=b32 -S open,openat -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
Rationale
Successful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
- ID
- xccdf_org.ssgproject.content_rule_audit_rules_successful_file_modification_openat_o_trunc_write
- Severity
- Medium
- Updated