Skip to content

Configure auditing of successful file modifications (ppc64le)

An XCCDF Rule

Description

Ensure that successful attempts to modify a file are audited. The following rules configure audit as described above:

## Successful file modifications (open for write or truncate)
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification    
Load new Audit rules into kernel by running:
augenrules --load
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.

Rationale

Auditing of successful attempts to modify a file helps in investigation of actions which happened on the system.

ID
xccdf_org.ssgproject.content_rule_audit_modify_success_ppc64le
Severity
Medium
References
Updated



Remediation - Kubernetes Patch

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:

Remediation - Ansible

- name: Put contents into /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules according
    to policy
  copy:
    dest: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
    content: |
      ## Successful file modifications (open for write or truncate)

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -q ppc64le /proc/sys/kernel/osrelease; }; then

cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
## Successful file modifications (open for write or truncate)
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification