4.1.15 Ensure file deletion events by users are collected - auditctl b32 unlink

Information

Monitor the use of system calls associated with the deletion or renaming of files and file
attributes. This configuration statement sets up monitoring for the unlink (remove a file),
unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file
attribute) system calls and tags them with the identifier "delete".

Rationale:

Monitoring these calls from non-privileged users could provide a system administrator
with evidence that inappropriate removal of files and file attributes associated with
protected files is occurring. While this audit option will look at all events, system
administrators will want to look for specific privileged files that are being deleted or
altered.

Solution

For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in
.rules
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:

-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F
auid>=500 -F auid!=4294967295 -k delete

For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in
.rules
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:

-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F
auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F
auid>=500 -F auid!=4294967295 -k delete

Notes:

At a minimum, configure the audit system to collect file deletion events for all users and
root.

Reloading the auditd config to set active settings may require a system reboot.

See Also

https://workbench.cisecurity.org/files/2420

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(10), CSCv6|13, CSCv7|13

Plugin: Unix

Control ID: a7959b24cf534471f9860da40b4ea06e73b55d39a435df5bef8af51f3b4956dd