Configure auditing of unsuccessful file deletions (ppc64le)
An XCCDF Rule
Description
Ensure that unsuccessful attempts to delete a file are audited. The following rules configure audit as described above:
## Unsuccessful file delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteLoad new Audit rules into kernel by running:
augenrules --loadNote: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
Rationale
Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities.
- ID
- xccdf_org.ssgproject.content_rule_audit_delete_failed_ppc64le
- Severity
- Medium
- References
- Updated
Remediation - Kubernetes Patch
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -q ppc64le /proc/sys/kernel/osrelease; }; then
cat << 'EOF' > /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
## Unsuccessful file delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
Remediation - Ansible
- name: Put contents into /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules according
to policy
copy:
dest: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
content: |
## Unsuccessful file delete