1. Home
  2. Security Hardening
  3. CIS Ubuntu 12.04 LTS Benchmark L2 V1.1.0
  4. Collect Unsuccessful Unauthorized Access Attempts to Files- ’32bit EPERM’
Searching...

Collect Unsuccessful Unauthorized Access Attempts to Files- ’32bit EPERM’

Details

Monitor for unsuccessful attempts to access files. The parameters below are associated

with system calls that control creation (creat), opening (open, openat) and truncation

(truncate, ftruncate) of files. An audit log record will only be written if the user is a non-

privileged user (auid > = 500), is not a Daemon event (auid=4294967295) and if the system

call returned EACCES (permission denied to the file) or EPERM (some other permanent

error associated with the specific system call). All audit records will be tagged with the

identifier ‘access.’

*Rationale*

Failed attempts to open, create or truncate files could be an indication that an individual or

process is trying to gain unauthorized access to the system.

Solution

For 64 bit systems, add the following lines to the /etc/audit/audit.rules file.
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

# Execute the following command to restart auditd
# pkill -HUP -P 1 auditd

For 32 bit systems, add the following lines to the /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

# Execute the following command to restart auditd
# pkill -HUP -P 1 auditd

Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.

References

Source

Updated on July 16, 2022
Was this article helpful?
Yes No

Related Articles