mediumauditverified ✓rollback-safe
Audit unsuccessful file access attempts
audit-unsuccessful-access · RHEL ≥ 8 · 1 impl
Description
The system must audit unsuccessful access attempts to files and directories to detect potential intrusion attempts.
Rationale
Failed file access attempts may indicate an attacker probing the system for vulnerabilities. Auditing these events helps detect reconnaissance and unauthorized access attempts.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -k access
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -k access
- persist_file:
- /etc/audit/rules.d/50-access.rules
Framework references
CIS
rhel8 6.3.3.7rhel9 6.3.3.7rhel10 6.3.3.11
NIST 800-53
AU-2AU-12
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#file-access#failed#intrusion-detection#stig