{"description": "\nThe audit system should collect unsuccessful file deletion\nattempts for all users and root. If the auditd daemon is configured\nto use the augenrules program to read audit rules during daemon\nstartup (the default), add the following lines to a file with suffix\n.rules in the directory /etc/audit/rules.d.\n\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following lines to\n/etc/audit/audit.rules file.\n-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete\n-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
\n\nIf the system is 64 bit then also add the following lines:\n\n-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete\n-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
", "rationale": "Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing\nthese events could serve as evidence of potential system compromise.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8", "9"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI08.02", "DSS01.03", "DSS01.04", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.1.7"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)(ii)(A)", "164.308(a)(5)(ii)(C)", "164.312(a)(2)(i)", "164.312(b)", "164.312(d)", "164.312(e)"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.6.6", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.13", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.6", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.1", "SR 6.2", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.7", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.2.1", "A.6.2.2"], "nist": ["AU-2(d)", "AU-12(c)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "DE.CM-1", "DE.CM-3", "DE.CM-7", "ID.SC-4", "PR.AC-3", "PR.PT-1", "PR.PT-4", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.2.4", "Req-10.2.1"], "srg": ["SRG-OS-000064-GPOS-00033", "SRG-OS-000392-GPOS-00172", "SRG-OS-000458-GPOS-00203", "SRG-OS-000461-GPOS-00205", "SRG-OS-000468-GPOS-00212", "SRG-APP-000501-CTR-001265", "SRG-APP-000502-CTR-001270"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the command does not return a line, or the line is commented out", "ocil": "Verify Ubuntu 22.04 generates an audit record for unsuccessful attempts to use the unlink system call.\n\nIf the auditd daemon is configured to use the \"augenrules\" program to to read audit rules during daemon startup (the default), run the following command:\n\n$ sudo grep -r unlink /etc/audit/rules.d\n\nIf the auditd daemon is configured to use the \"auditctl\" utility to read audit rules during daemon startup, run the following command:\n\n$ sudo grep unlink /etc/audit/audit.rules\n\nThe output should be the following:\n\n-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete\n-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -k unsuccessful-delete\n-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete\n-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -k unsuccessful-delete", "oval_external_content": null, "fixtext": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"unlink\" system call by adding or updating the following rules in \"/etc/audit/audit.rules\" and adding the following rules to \"/etc/audit/rules.d/access.rules\" or updating the existing rules in files in the \"/etc/audit/rules.d/\" directory:\n\n-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access\n-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access\n\n-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access\n-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access\n\n\nIt's allowed to group this system call within the same line as rename, renameat and unlinkat.\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Successful/unsuccessful uses of the unlink system call in Ubuntu 22.04 must generate an audit record.", "warnings": [{"general": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping system calls related\nto the same event is more efficient. See the following example:\n\n-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
"}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": ["not aarch64_arch"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": ["not_aarch64_arch"], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Record Unsuccessful Delete Attempts to Files - unlink", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml", "template": {"name": "audit_rules_unsuccessful_file_modification", "vars": {"name": "unlink", "syscall_grouping": ["rename", "renameat", "unlink", "unlinkat"]}, "backends": {}}}