← Rules Catalog
mediumauditverified rollback-safe

Audit truncate, ftruncate, creat, open, openat, and open_by_handle_at syscalls

audit-file-open-truncate · RHEL ≥ 8 · 1 impl

Description

The truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls must be audited to track unauthorized file access and modification attempts.

Rationale

Auditing file open and truncation syscalls provides visibility into unauthorized file access, creation, and modification. This is essential for detecting data exfiltration and malicious file manipulation.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset
Remediateaudit_rule_set
rule:
-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
persist_file:
/etc/audit/rules.d/50-file-access.rules

Framework references

STIG

V-281125 / RHEL-10-500390V-258188 / RHEL-09-654070V-230449

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#syscall#file-access