← Rules Catalog
mediumauditverified rollback-safe

Audit unsuccessful file access attempts

audit-unsuccessful-access · RHEL ≥ 8 · 1 impl

Description

The system must audit unsuccessful access attempts to files and directories to detect potential intrusion attempts.

Rationale

Failed file access attempts may indicate an attacker probing the system for vulnerabilities. Auditing these events helps detect reconnaissance and unauthorized access attempts.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -k access
Remediateaudit_rule_set
rule:
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -k access
persist_file:
/etc/audit/rules.d/50-access.rules

Framework references

CIS

rhel8 6.3.3.7rhel9 6.3.3.7rhel10 6.3.3.11

NIST 800-53

AU-2AU-12

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#file-access#failed#intrusion-detection#stig