Record Successful Delete Attempts to Files - unlinkat
An XCCDF Rule
Description
At a minimum, the audit system should collect file
deletion for all users and root. If the auditd
daemon is configured
to use the augenrules
program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules
in the directory /etc/audit/rules.d
:
-a always,exit -F arch=b32 -S unlinkat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-deleteIf the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlinkat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-deleteIf the
auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules
file:
-a always,exit -F arch=b32 -S unlinkat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-deleteIf the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlinkat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
warning alert: Warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
Rationale
File deletion attempts could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
- ID
- xccdf_org.ssgproject.content_rule_audit_rules_successful_file_modification_unlinkat
- Severity
- Medium
- References
- Updated