{"description": "The <tt>open</tt> syscall can be used to create new files\nwhen O_CREAT flag is specified.\n\nThe following audit rules will assure that successful attempts to create a\nfile via <tt>open</tt> syscall are collected.\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add the\nrules below to a file with suffix <tt>.rules</tt> in the directory\n<tt>/etc/audit/rules.d</tt>.\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the rules below to\n<tt>/etc/audit/audit.rules</tt> file.\n\n<pre>\n-a always,exit -F arch=b32 -S open -F a2&amp;0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create\n</pre>\n\nIf the system is 64 bit then also add the following lines:\n<pre>\n-a always,exit -F arch=b64 -S open -F a2&amp;0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create\n</pre>", "rationale": "Successful attempts to access files could be an indicator of malicious activity on a system. Auditing\nthese events could serve as evidence of potential system compromise.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit successful calls\nto the <code>open</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"open\" /etc/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping system calls related\nto the same event is more efficient. See the following example:\n<pre>-a always,exit -F arch=b32 -S open,open -F a2&amp;0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create</pre>"}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Record Successful Creation Attempts to Files - open O_CREAT", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_open_o_creat/rule.yml", "template": null}