Profile Applicability:
• Level 2
Description:
Unsuccessful file access attempts indicate possible unauthorized or malicious activity targeting protected files. Collecting audit logs of these attempts provides early warning signs and supports incident response.
Rationale:
Monitoring failed file access attempts helps detect potential intrusion attempts or misconfigurations, improving overall system security.
Impact:
Pros:
Provides visibility into unauthorized access attempts.
Enables proactive security monitoring and incident investigation.
Cons:
May increase audit log volume; requires effective log management.
Default Value:
Audit rules for unsuccessful file access may not be enabled by default.
Pre-requisites:
Root or sudo privileges to configure audit rules.
Remediation:
Test Plan:
Using Linux command line:
Check current audit rules for failed file access attempts:
auditctl -l | grep access
Verify rules include monitoring for failed attempts.
Implementation Plan:
Using Linux command line:
Add audit rules to log failed file access attempts, for example:
auditctl -a always,exit -F arch=b64 -S open -F success=0 -k access auditctl -a always,exit -F arch=b32 -S open -F success=0 -k access
Persist audit rules by adding them to /etc/audit/rules.d/audit.rules.
Backout Plan:
Using Linux command line:
Remove or disable related audit rules if needed:
auditctl -d always,exit -F arch=b64 -S open -F success=0 -k access auditctl -d always,exit -F arch=b32 -S open -F success=0 -k access
Reload audit daemon configuration.
References:
CIS Amazon Linux 2 Benchmark v3.0.0