Information
The operating system must audit all uses of the unlinkat syscall.
Rationale:
If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
Solution
Configure the operating system to generate audit records when successful/unsuccessful attempts to use the unlinkat syscall occur.
Add the following rules in /etc/audit/rules.d/audit.rules:
Example: vim /etc/audit/rules.d/audit.rules
Add, uncomment, update the following line for the appropriate system architecture.
Note: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.
-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete
The audit daemon must be restarted for the changes to take effect.
# service auditd restart
Notes:
This Benchmark recommendation maps to:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide:
Version 2, Release: 3 Benchmark Date: 26 Apr 2019
Vul ID: V-72207
Rule ID: SV-86831r4_rule
STIG ID: RHEL-07-030920
Severity: CAT II