Details
The audit system _MUST_ be configured to record enforcement actions of access restrictions, including failed file read (-fr) attempts.
Enforcement actions are the methods or mechanisms used to prevent unauthorized access and/or changes to configuration settings. One common and effective enforcement action method is using access restrictions (e.g., denying access to a file by applying file permissions).
This configuration ensures that audit lists include events in which enforcement actions prevent attempts to read a file.
Without auditing the enforcement of access restrictions, it is difficult to identify attempted attacks, as there is no audit trail available for forensic investigation.
Solution
Run the following bash code
/usr/bin/grep -qE "^flags.*-fr" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,-fr/' /etc/security/audit_control;/usr/sbin/audit -s
----
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Audit and Accountability, Configuration Management, Maintenance.This control applies to the following type of system Unix.
References
- 800-53|AC-2(12)
- 800-53|AU-2
- 800-53|AU-9
- 800-53|AU-12
- 800-53|AU-12c.
- 800-53|CM-5(1)
- 800-53|MA-4(1)
- CCE|CCE-85265-7, CCI|CCI-000172
- CCI|CCI-001814
- STIG-ID|APPL-11-001020