{"description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If the auditd daemon is configured to use the\naugenrules program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix .rules in the\ndirectory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit\nsystem, or having two lines for both b32 and b64 in case your system is 64-bit:\n-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit\nsystem, or having two lines for both b32 and b64 in case your system is 64-bit:\n-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
", "rationale": "Auditing file deletions will create an audit trail for files that are removed\nfrom the system. The audit trail could aid in system troubleshooting, as well as, detecting\nmalicious processes that attempt to delete log files to conceal their presence.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8", "9"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI08.02", "DSS01.03", "DSS01.04", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.1.7"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)(ii)(A)", "164.308(a)(5)(ii)(C)", "164.312(a)(2)(i)", "164.312(b)", "164.312(d)", "164.312(e)"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.13", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.6", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.1", "SR 6.2", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.4", "A.11.2.6", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.7", "A.15.1.1", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.2.1", "A.6.2.2"], "nist": ["AU-2(d)", "AU-12(c)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "DE.CM-1", "DE.CM-3", "DE.CM-7", "ID.SC-4", "PR.AC-3", "PR.MA-2", "PR.PT-1", "PR.PT-4", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.2.7"], "srg": ["SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", "SRG-OS-000062-GPOS-00031", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215", "SRG-OS-000466-GPOS-00210", "SRG-OS-000467-GPOS-00211", "SRG-OS-000468-GPOS-00212", "SRG-APP-000495-CTR-001235", "SRG-APP-000499-CTR-001255", "SRG-APP-000501-CTR-001265", "SRG-APP-000502-CTR-001270"], "anssi": ["R73"], "cis": ["6.3.3.13"], "pcidss4": ["10.2.1.7", "10.2.1", "10.2"], "stigid": ["UBTU-22-654185"], "stigref": ["SV-260639r991577_rule"]}, "control_references": {"anssi": ["R73"], "cis": ["6.3.3.13"], "pcidss4": ["10.2.1.7", "10.2.1", "10.2"], "stigid": ["UBTU-22-654185"]}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit calls to the\nrename system call, run the following command:\n$ sudo grep \"rename\" /etc/audit/audit.*
\nIf the system is configured to audit this activity, it will return a line.\n", "oval_external_content": null, "fixtext": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"rename\" system call by adding or updating the following rules in \"/etc/audit/audit.rules\" and adding the following rules to \"/etc/audit/rules.d/delete.rules\" or updating the existing rules in files in the \"/etc/audit/rules.d/\" directory:\n\n\n -a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k delete\n -a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k delete\n It's allowed to group this system call within the same line as \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\".\n\n The audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Successful/unsuccessful uses of the rename system call in Ubuntu 22.04 must generate an audit record.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must audit all uses of the rename,unlink,rmdir,renameat,renameat2 and unlinkat system calls.", "vuldiscussion": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", "checktext": "Verify that Ubuntu 22.04 is configured to audit successful/unsuccessful attempts to use the \"rename\", \"unlink\", \"rmdir\", \"renameat\", \"renameat2\", and \"unlinkat\" system calls with the following command:\n\n$ sudo auditctl -l | grep 'rename\\|unlink\\|rmdir'\n\n-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,renameat2,unlinkat -F auid>=1000 -F auid!=unset -k delete\n-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,renameat2,unlinkat -F auid>=1000 -F auid!=unset -k delete\n\nIf the command does not return an audit rule for \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" or any of the lines returned are commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to generate an audit event for any successful/unsuccessful use of the \"rename\", \"unlink\", \"rmdir\", \"renameat\", \"renameat2\", and \"unlinkat\" system calls by adding or updating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,renameat2,unlinkat -F auid>=1000 -F auid!=unset -k delete\n-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,renameat2,unlinkat -F auid>=1000 -F auid!=unset -k delete\n\nThe audit daemon must be restarted for the changes to take effect."}}, "platform": null, "platforms": ["not aarch64_arch"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": ["not_aarch64_arch"], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Ensure auditd Collects File Deletion Events by User - rename", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml", "template": {"name": "audit_rules_file_deletion_events", "vars": {"name": "rename", "syscall_grouping": ["unlink", "unlinkat", "rename", "renameat", "renameat2", "rmdir"]}, "backends": {}}}