Configure auditing of unsuccessful file deletions (ppc64le)
Ubuntu 22.04
Inspect the contents of /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
/etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
^.*$
1
## Unsuccessful file delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete