mediumauditverified ✓rollback-safe
Audit truncate, ftruncate, creat, open, openat, and open_by_handle_at syscalls
audit-file-open-truncate · RHEL ≥ 8 · 1 impl
Description
The truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls must be audited to track unauthorized file access and modification attempts.
Rationale
Auditing file open and truncation syscalls provides visibility into unauthorized file access, creation, and modification. This is essential for detecting data exfiltration and malicious file manipulation.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
- persist_file:
- /etc/audit/rules.d/50-file-access.rules
Framework references
STIG
V-281125 / RHEL-10-500390V-258188 / RHEL-09-654070V-230449
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#syscall#file-access