4.1.2.16 Ensure audit unlinkat syscall - 32 bit

Information

The operating system must audit all uses of the unlinkat syscall.

Rationale:

If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.

Solution

Configure the operating system to generate audit records when successful/unsuccessful attempts to use the unlinkat syscall occur.
Add the following rules in /etc/audit/rules.d/audit.rules:
Example: vim /etc/audit/rules.d/audit.rules
Add, uncomment, update the following line for the appropriate system architecture.
Note: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.

-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete

-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete

The audit daemon must be restarted for the changes to take effect.

# service auditd restart

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-72207

Rule ID: SV-86831r4_rule

STIG ID: RHEL-07-030920

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: 53bad4def2062309015ea5742ceb99d2ba1453837aaa234d6b0b47cf63d0125b