SV-99389r1_rule
V-88739
SRG-OS-000474-GPOS-00219
VROM-SL-001425
CAT II
10
Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs:
-a exit,always -F arch=b64 -S truncate -F success=0
-a exit,always -F arch=b32 -S truncate -F success=0
Verify auditd is configured to audit failed file access attempts. There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0)
# cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S truncate" | grep -e "-F success=0"
There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0). If not, this is a finding.
V-88739
False
VROM-SL-001425
Verify auditd is configured to audit failed file access attempts. There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0)
# cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S truncate" | grep -e "-F success=0"
There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0). If not, this is a finding.
M
3461