Detections
Analytics
5.2.3.13 Ensure file deletion events by users are collected
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for:- unlink - remove a file
- unlinkat - remove a file attribute
- rename - rename a file
- renameat rename a file attributesystem calls and tags them with the identifier "delete".
Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.
Solution
Create audit rulesEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor file deletion events by users.
64 Bit systems
Example:
# {
UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && printf "
-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete
-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=${UID_MIN} -F auid!=unset -F key=delete
" >> /etc/audit/rules.d/50-delete.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n"
}
Load audit rules
Merge and load the rules into active configuration:
# augenrules --load
Check if reboot is required.
# if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
32 Bit systems
Follow the same procedures as for 64 bit systems and ignore any entries with b64.
See Also
Item Details
Audit Name: CIS Amazon Linux 2 v3.0.0 L2
References: CSCv7|6.2
Plugin: Unix
Control ID: 5f3f6cf0d57bceb998e02155cac5b217b99485ea2df5bcac322abaf332f25edb