1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
documentation_complete: true
title: 'Configure auditing of unsuccessful file modifications'
{{% set file_contents_audit_modify_failed =
"## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=unsuccessful-modification" %}}
description: |-
Ensure that unsuccessful attempts to modify a file are audited.
The following rules configure audit as described above:
<pre>{{{ file_contents_audit_modify_failed|indent }}} </pre>
Load new Audit rules into kernel by running:
<pre>augenrules --load</pre>
Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
rationale: |-
Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions.
severity: medium
# on RHEL9+ there are rules which cover particular hardware architectures
# so do not apply this rule but apply the specific one instead
{{% if product in ["rhel9", "rhel10"] %}}
platforms:
- not aarch64_arch and not ppc64le_arch
{{% endif %}}
identifiers:
cce@rhel8: CCE-82830-1
cce@rhel9: CCE-83671-8
cce@rhel10: CCE-89667-0
references:
nist: AU-2(a)
ospp: FAU_GEN.1.1.c
srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-APP-000091-CTR-000160,SRG-APP-000492-CTR-001220,SRG-APP-000493-CTR-001225,SRG-APP-000494-CTR-001230,SRG-APP-000500-CTR-001260,SRG-APP-000507-CTR-001295
ocil_clause: 'the file does not exist or the content differs'
ocil: |-
To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
<pre>cat /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules</pre>
The output has to be exactly as follows:
<pre>{{{ file_contents_audit_modify_failed|indent }}} </pre>
template:
name: audit_file_contents
vars:
filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
contents: |-
{{{ file_contents_audit_modify_failed|indent(12) }}}
|
