Detections
Analytics
RHEL-06-000200 - The audit system must be configured to audit user deletions of files and programs - unlink 64 bit
Information
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.Solution
At a minimum, the audit system should collect file deletion events for all users and root. Add the following to '/etc/audit/audit.rules':-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete
If the system is 64-bit, then also add the following:
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_6_V2R2_STIG.zip
Item Details
Audit Name: DISA Red Hat Enterprise Linux 6 STIG v2r2
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-12c., CAT|III, CCI|CCI-000172, Rule-ID|SV-217978r603264_rule, STIG-ID|RHEL-06-000200, STIG-Legacy|SV-50376, STIG-Legacy|V-38575, Vuln-ID|V-217978
Plugin: Unix
Control ID: 553deab175da66d6993fe4e23c69aee0af362718fdb1978cb3f7dc861e4c0465