mediumauditverified ✓✓rollback-safe
Audit unsuccessful file-access attempts (Ubuntu)
audit-syscall-unsuccessful-access · UBUNTU ≥ 22 · 1 impl
Description
The system must generate an audit record for unsuccessful file-access attempts so that the responsible user can be identified.
Rationale
Auditing these system calls supports detection of unauthorized changes and forensic reconstruction of events.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
- persist_file:
- /etc/audit/rules.d/50-syscall-unsuccessful-access.rules
Framework references
STIG
V-270787 / UBTU-24-900160V-260635 / UBTU-22-654165
NIST 800-53
AU-2AU-12
Live verification
ubuntu22:checkubuntu24:checkubuntu24:remediate
#audit#auditd#syscall