4.1.3.28 Ensure audit unlinkat syscall - 64 bit

Information

The operating system must audit all uses of the unlinkat syscall.

Rationale:

If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.

Solution

Configure the operating system to generate audit records when successful/unsuccessful attempts to use the unlinkat syscall occur.
Add the following rules in /etc/audit/rules.d/audit.rules:
Example: vim /etc/audit/rules.d/audit.rules
Add, uncomment, update the following line for the appropriate system architecture.
Note: The rules are duplicated to cover both 32-bit and 64-bit architectures. Only the lines appropriate for the system architecture must be configured.

-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete

-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k delete

The audit daemon must be restarted for the changes to take effect.

# service auditd restart

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: AUDIT AND ACCOUNTABILITY, MAINTENANCE

References: 800-53|AU-12c., 800-53|MA-4(1)(a), CCI|CCI-000172, CCI|CCI-002884, CSCv7|6.2, Rule-ID|SV-204573r603261_rule, STIG-ID|RHEL-07-030920

Plugin: Unix

Control ID: 620ba53cfbe191135c193a3a662ccf7dcbb21383afff002c547a1d7ec0674815