4.1.2.14 Ensure audit of the rmdir syscall - 64 bit

Information

The operating system must audit all uses of the rmdir syscall.

Rationale:

If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.

Solution

Configure the operating system to generate audit records when successful/unsuccessful attempts to use the rmdir syscall occur.
Add the following rules in /etc/audit/rules.d/audit.rules:
Note: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.
Example: vim /etc/audit/rules.d/audit.rules
Add, uncomment or update the following line that fits your system architecture:

-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete

-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete

The audit daemon must be restarted for the changes to take effect.

# service auditd restart

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-72203

Rule ID: SV-86827r4_rule

STIG ID: RHEL-07-030900

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: 6a57694cf4bdcda86a6bba7f3a0f21f56e1f7d2c8f701b3eeeebf3e76bfb30fb