Ensure auditd Collects File Deletion Events by User - unlinkat

An XCCDF Rule

Description

At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

Rationale

Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.

ID: xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
Severity: Medium
References: BP28(R73)

1 11 12 13 14 15 16 19 2 3 4 5 6 7 8 9

APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 APO12.06 APO13.01 BAI03.05 BAI08.02 DSS01.03 DSS01.04 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS03.05 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01

3.1.7

CCI-000130 CCI-000135 CCI-000169 CCI-000172 CCI-000366 CCI-002884

164.308(a)(1)(ii)(D) 164.308(a)(3)(ii)(A) 164.308(a)(5)(ii)(C) 164.312(a)(2)(i) 164.312(b) 164.312(d) 164.312(e)

4.2.3.10 4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4

SR 1.13 SR 2.10 SR 2.11 SR 2.12 SR 2.6 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6

A.11.2.4 A.11.2.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.7 A.15.1.1 A.15.2.1 A.15.2.2 A.16.1.4 A.16.1.5 A.16.1.7 A.6.2.1 A.6.2.2

AU-12(c) AU-2(d) CM-6(a)

DE.AE-3 DE.AE-5 DE.CM-1 DE.CM-3 DE.CM-7 ID.SC-4 PR.AC-3 PR.MA-2 PR.PT-1 PR.PT-4 RS.AN-1 RS.AN-4

FAU_GEN.1.1.c

Req-10.2.7

10.2.1.7

SRG-OS-000037-GPOS-00015 SRG-OS-000042-GPOS-00020 SRG-OS-000062-GPOS-00031 SRG-OS-000392-GPOS-00172 SRG-OS-000462-GPOS-00206 SRG-OS-000466-GPOS-00210 SRG-OS-000467-GPOS-00211 SRG-OS-000468-GPOS-00212 SRG-OS-000471-GPOS-00215

CCE-82579-4

SRG-APP-000495-CTR-001235 SRG-APP-000499-CTR-001255 SRG-APP-000501-CTR-001265 SRG-APP-000502-CTR-001270
Updated: about 1 year ago


apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlinkat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlinkat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A
        mode: 0644
        path: /etc/audit/rules.d/75-unlinkat-file-deletion-events.rules
        overwrite: true

Ensure auditd Collects File Deletion Events by User - unlinkat

Description

Rationale

Remediation - Kubernetes Patch