6.3.3.24 Ensure unlink file deletion events by users are collected

Information

Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for:

- unlink - remove a file
- unlinkat - remove a file attributesystem calls and tags them with the identifier "delete".

Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.

Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215

Solution

Note:

- The -w option is deprecated and the rule should be updated in accordance with the Remediation Procedure.
- For best performance, the arch field should be supplied in the rule. The individual permissions will cause the selection of specific system calls that use that kind of access. Not supplying the arch will cause the selection of all system calls which will affect performance as all system calls will be evaluated.

- Edit or create a file in the /etc/audit/rules.d/ directory, ending inrules extension, with the relevant rules to monitor file deletion events by users.

Example:

# printf "
-a always,exit -F arch=b64 -S unlink,unlinkat -F auid>=1000 -F auid!=unset -F key=delete
" >> /etc/audit/rules.d/50-delete.rules

Note: The auid>= value should be set to the same value as UID_MIN value in /etc/login.defs

<xhtml:ol start="2"> - Merge and load the rules into active configuration:

# augenrules --load <xhtml:ol start="3"> - Check if reboot is required:

# if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi

See Also

https://workbench.cisecurity.org/benchmarks/23593