4.1.13 Ensure file deletion events by users are collected - rules.d 32-bit

Information

Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for following system calls and tags them with the identifier 'delete':

unlink - remove a file

unlinkat - remove a file attribute

rename - rename a file

renameat - rename a file attribute

Notes:

Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:

# awk '/^s*UID_MIN/{print $2}' /etc/login.defs

If your systems' UID_MIN is not 500, replace audit>=500 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures.

At a minimum, configure the audit system to collect file deletion events for all users and root.

Reloading the auditd config to set active settings may require a system reboot.

Rationale:

Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.

Solution

For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/10-deletion.rules
Add the following lines:

-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/10-deletion.rules
Add the following lines:

-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

See Also

https://workbench.cisecurity.org/files/3144

Item Details

Category: AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AU-3, 800-53|AU-12, 800-53|SC-7(10), CSCv7|6.2, CSCv7|13

Plugin: Unix

Control ID: 79230a5eebfca489c0eb4deaa1d18381d33423b8ef1399826e0e9768ac9821ca