GEN002720 - The audit system must be configured to audit failed attempts to access files and programs - '-S creat -F exit=-EACCES'

Information

If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.

Solution

Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs:

either:
-a exit,always -F arch=<ARCH> -S creat -F success=0

or both:
-a exit,always -F arch=<ARCH> -S creat -F exit=-EPERM
-a exit,always -F arch=<ARCH> -S creat -F exit=-EACCES

Restart the auditd service.
# service auditd restart

See Also

http://iasecontent.disa.mil/stigs/zip/U_RedHat_5_V1R18_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2d., CAT|II, CCI|CCI-000126, Group-ID|V-814, Rule-ID|SV-38645r1_rule, STIG-ID|GEN002720, Vuln-ID|V-814

Plugin: Unix

Control ID: be1011abda49984014387e68b8e1f310287604b529c4c27734236dcae1fef8ce