{"description": "The operating system must generate audit records for all uses of the <tt>renameat2</tt> system call.\nWithout generating audit records specific to the security and mission needs of the organization, it would be \ndifficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\nAdd or update the following lines to <tt>/etc/audit/rules.d/audit.rules</tt> to configure the operating system to generate \nan audit record for all uses of the <tt>renameat2</tt> system call:  \n<pre>\n-a always,exit -F arch=b32 -S renameat2 -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S renameat2 -F auid>=1000 -F auid!=-1 -k perm_mod</pre>", "rationale": "Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing\nthese events could serve as evidence of potential system compromise.", "severity": "medium", "references": {"srg": ["SRG-OS-000468-GPOS-00212"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit unsuccessful calls\nto the <code>renameat2</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"renameat2\" /etc/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping system calls related\nto the same event is more efficient. See the following example:\n<pre>\n-a always,exit -F arch=b32 -S renameat2 -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S renameat2 -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>"}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Record Unsuccessful Delete Attempts to Files - renameat2", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml", "template": {"name": "audit_rules_unsuccessful_file_modification", "vars": {"name": "renameat2", "syscall_grouping": ["rename", "renameat", "renameat2", "unlink", "unlinkat"]}, "backends": {}}}