{"description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If the <tt>auditd</tt> daemon is configured to use the\n<tt>augenrules</tt> program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix <tt>.rules</tt> in the\ndirectory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 for 32-bit\nsystem, or having two lines for both b32 and b64 in case your system is 64-bit:\n<pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat,renameat2 -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following line to\n<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 for 32-bit\nsystem, or having two lines for both b32 and b64 in case your system is 64-bit:\n<pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat,renameat2 -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>", "warnings": [], "requires": [], "conflicts": [], "values": {}, "groups": {}, "rules": ["audit_rules_file_deletion_events", "audit_rules_file_deletion_events_rename", "audit_rules_file_deletion_events_renameat", "audit_rules_file_deletion_events_renameat2", "audit_rules_file_deletion_events_rmdir", "audit_rules_file_deletion_events_unlink", "audit_rules_file_deletion_events_unlinkat"], "platform": "", "platforms": [], "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "title": "Record File Deletion Events by User", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/group.yml"}