← Rules Catalog
mediumauditverified ✓✓rollback-safe

Audit unsuccessful file-access attempts (Ubuntu)

audit-syscall-unsuccessful-access · UBUNTU ≥ 22 · 1 impl

Description

The system must generate an audit record for unsuccessful file-access attempts so that the responsible user can be identified.

Rationale

Auditing these system calls supports detection of unauthorized changes and forensic reconstruction of events.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
Remediateaudit_rule_set
rule:
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
persist_file:
/etc/audit/rules.d/50-syscall-unsuccessful-access.rules

Framework references

STIG

V-270787 / UBTU-24-900160V-260635 / UBTU-22-654165

NIST 800-53

AU-2AU-12

Live verification

ubuntu22:checkubuntu24:checkubuntu24:remediate
#audit#auditd#syscall