{"description": "The audit system should collect detailed unauthorized file accesses for\nall users and root. The <tt>open</tt> syscall can be used to modify files\nif called for write operation of with O_TRUNC_WRITE flag.\nThe following auidt rules will assure that unsuccessful attempts to modify a\nfile via <tt>open</tt> syscall are collected.\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add the\nrules below to a file with suffix <tt>.rules</tt> in the directory\n<tt>/etc/audit/rules.d</tt>.\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the rules below to\n<tt>/etc/audit/audit.rules</tt> file.\n<pre>\n-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification\n-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification\n</pre>\nIf the system is 64 bit then also add the following lines:\n<pre>\n-a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification\n-a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification\n</pre>", "rationale": "Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing\nthese events could serve as evidence of potential system compromise.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8", "9"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI08.02", "DSS01.03", "DSS01.04", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.1.7"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)(ii)(A)", "164.308(a)(5)(ii)(C)", "164.312(a)(2)(i)", "164.312(b)", "164.312(d)", "164.312(e)"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.6.6", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.13", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.6", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.1", "SR 6.2", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.7", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.2.1", "A.6.2.2"], "nist": ["AU-2(d)", "AU-12(c)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "DE.CM-1", "DE.CM-3", "DE.CM-7", "ID.SC-4", "PR.AC-3", "PR.PT-1", "PR.PT-4", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.2.4", "Req-10.2.1"], "srg": ["SRG-OS-000064-GPOS-00033", "SRG-OS-000458-GPOS-00203", "SRG-OS-000461-GPOS-00205", "SRG-OS-000392-GPOS-00172"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the command does not return a line, or the line is commented out", "ocil": "Verify Ubuntu 22.04 generates an audit record for unsuccessful attempts to modify files using the open system call with O_TRUNC_WRITE flag.\n\nIf the auditd daemon is configured to use the \"augenrules\" program to read audit rules during daemon startup (the default), run the following command:\n\n$ sudo grep -r open /etc/audit/rules.d\n\nIf the auditd daemon is configured to use the \"auditctl\" utility to read audit rules during daemon startup, run the following command:\n\n$ sudo grep open /etc/audit/audit.rules\n\nThe output should be the following:\n\n-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create\n-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create\n-a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create\n-a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create", "oval_external_content": null, "fixtext": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"open\" system call by adding or updating the following rules in \"/etc/audit/audit.rules\" and adding the following rules to \"/etc/audit/rules.d/unsuccesful-modification.rules\" or updating the existing rules in files in the \"/etc/audit/rules.d/\" directory:\n\n-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccesful-modification\n-a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccesful-modification\n\n-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccesful-modification\n-a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccesful-modification\n\n\nIt's allowed to group this system call within the same line as \"openat\" and \"open_by_handle_at\".\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping system calls related\nto the same event is more efficient. See the following example:\n<pre>-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification</pre>"}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": ["not aarch64_arch"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": ["not_aarch64_arch"], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write/rule.yml", "template": {"vars": {"pos": "a1", "syscall": "open"}, "name": "audit_rules_unsuccessful_file_modification_o_trunc_write", "backends": {}}}