Differences

This shows you the differences between two versions of the page.

Link to this comparison view

centos7:4:1:11 [2017/05/04 16:12] (current)
Line 1: Line 1:
 +======4.1.11 Ensure unsuccessful unauthorized file access attempts are collected (Scored)======
 +=====Profile Applicability=====  ​
 +<​code>​
 +Level 2 - Server
 +Level 2 - Workstation ​
 +</​code>​
  
 +=====Description=====
 +Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (''​creat''​),​ opening (''​open'',​ ''​openat''​) and truncation (''​truncate'',​ ''​ftruncate''​) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier "​access."​
 +
 +=====Rationale=====
 +Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.
 +
 +=====Audit===== ​
 +On a 32 bit system run the following command and verify the output matches:
 +<​Code:​bash>​
 +# grep access /​etc/​audit/​audit.rules ​
 +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>​=1000 -F auid!=4294967295 -k access ​
 +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>​=1000 -F auid!=4294967295 -k access
 +</​Code>​
 +On a 64 bit system run the following command and verify the output matches:
 +<​Code:​bash>​
 +# grep access /​etc/​audit/​audit.rules ​
 +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>​=1000 -F auid!=4294967295 -k access ​
 +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>​=1000 -F auid!=4294967295 -k access ​
 +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>​=1000 -F auid!=4294967295 -k access ​
 +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>​=1000 -F auid!=4294967295 -k access
 +</​Code>​
 +
 +=====Remediation===== ​
 +For 32 bit systems add the following lines to the /​etc/​audit/​audit.rules file:
 +<​Code:​bash>​
 +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>​=1000 -F auid!=4294967295 -k access ​
 +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>​=1000 -F auid!=4294967295 -k access
 +</​Code>​
 +For 64 bit systems add the following lines to the /​etc/​audit/​audit.rules file:
 +<​Code:​bash>​
 +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>​=1000 -F auid!=4294967295 -k access ​
 +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>​=1000 -F auid!=4294967295 -k access ​
 +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>​=1000 -F auid!=4294967295 -k access ​
 +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>​=1000 -F auid!=4294967295 -k access
 +</​Code>​