{"description": "At a minimum, the audit system should collect unauthorized file\naccesses for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to <tt>/etc/audit/audit.rules</tt>:\n<pre>-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access\n    -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</pre>\nIf your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:\n<pre>-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access\n    -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</pre>", "warnings": [], "requires": [], "conflicts": [], "values": {}, "groups": {}, "rules": ["audit_rules_successful_file_modification_chmod", "audit_rules_successful_file_modification_chown", "audit_rules_successful_file_modification_creat", "audit_rules_successful_file_modification_fchmod", "audit_rules_successful_file_modification_fchmodat", "audit_rules_successful_file_modification_fchown", "audit_rules_successful_file_modification_fchownat", "audit_rules_successful_file_modification_fremovexattr", "audit_rules_successful_file_modification_fsetxattr", "audit_rules_successful_file_modification_ftruncate", "audit_rules_successful_file_modification_lchown", "audit_rules_successful_file_modification_lremovexattr", "audit_rules_successful_file_modification_lsetxattr", "audit_rules_successful_file_modification_open", "audit_rules_successful_file_modification_open_by_handle_at", "audit_rules_successful_file_modification_open_by_handle_at_o_creat", "audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write", "audit_rules_successful_file_modification_open_o_creat", "audit_rules_successful_file_modification_open_o_trunc_write", "audit_rules_successful_file_modification_openat", "audit_rules_successful_file_modification_openat_o_creat", "audit_rules_successful_file_modification_openat_o_trunc_write", "audit_rules_successful_file_modification_removexattr", "audit_rules_successful_file_modification_rename", "audit_rules_successful_file_modification_renameat", "audit_rules_successful_file_modification_setxattr", "audit_rules_successful_file_modification_truncate", "audit_rules_successful_file_modification_unlink", "audit_rules_successful_file_modification_unlinkat", "audit_rules_unsuccessful_file_modification", "audit_rules_unsuccessful_file_modification_chmod", "audit_rules_unsuccessful_file_modification_chown", "audit_rules_unsuccessful_file_modification_creat", "audit_rules_unsuccessful_file_modification_fchmod", "audit_rules_unsuccessful_file_modification_fchmodat", "audit_rules_unsuccessful_file_modification_fchown", "audit_rules_unsuccessful_file_modification_fchownat", "audit_rules_unsuccessful_file_modification_fremovexattr", "audit_rules_unsuccessful_file_modification_fsetxattr", "audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_unsuccessful_file_modification_lchown", "audit_rules_unsuccessful_file_modification_lremovexattr", "audit_rules_unsuccessful_file_modification_lsetxattr", "audit_rules_unsuccessful_file_modification_open", "audit_rules_unsuccessful_file_modification_open_by_handle_at", "audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat", "audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write", "audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order", "audit_rules_unsuccessful_file_modification_open_o_creat", "audit_rules_unsuccessful_file_modification_open_o_trunc_write", "audit_rules_unsuccessful_file_modification_open_rule_order", "audit_rules_unsuccessful_file_modification_openat", "audit_rules_unsuccessful_file_modification_openat_o_creat", "audit_rules_unsuccessful_file_modification_openat_o_trunc_write", "audit_rules_unsuccessful_file_modification_openat_rule_order", "audit_rules_unsuccessful_file_modification_removexattr", "audit_rules_unsuccessful_file_modification_rename", "audit_rules_unsuccessful_file_modification_renameat", "audit_rules_unsuccessful_file_modification_renameat2", "audit_rules_unsuccessful_file_modification_setxattr", "audit_rules_unsuccessful_file_modification_truncate", "audit_rules_unsuccessful_file_modification_unlink", "audit_rules_unsuccessful_file_modification_unlinkat"], "platform": "", "platforms": [], "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "title": "Record Unauthorized Access Attempts Events to Files (unsuccessful)", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/group.yml"}