{"description": "Ensure that unsuccessful attempts to delete a file are audited.\n\nThe following rules configure audit as described above:\n<pre>## Unsuccessful file delete\n-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete\n-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete    </pre>\n\nLoad new Audit rules into kernel by running:\n<pre>augenrules --load</pre>\n\nNote: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are aligned with your needs.", "rationale": "Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities.", "severity": "medium", "references": {"nist": ["AU-2(a)"], "ospp": ["FAU_GEN.1.1.c"], "srg": ["SRG-OS-000458-GPOS-00203", "SRG-OS-000474-GPOS-00219", "SRG-OS-000475-GPOS-00220", "SRG-OS-000463-GPOS-00207", "SRG-OS-000465-GPOS-00209", "SRG-OS-000461-GPOS-00205", "SRG-OS-000468-GPOS-00212"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the file does not exist or the content differs", "ocil": "To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:\n<pre>cat /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules</pre>\nThe output has to be exactly as follows:\n<pre>## Unsuccessful file delete\n-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete\n-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete    </pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to audit all unsuccessful attempts to delete a file.\n\nCreate file \"/etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules\" with the exactly following content:\n\n## Unsuccessful file delete\n-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete\n-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete\n\nThen, run the following commands:\n\n$ sudo chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules\n$ sudo augenrules --load", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": ["ppc64le_arch"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["ppc64le_arch"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure auditing of unsuccessful file deletions (ppc64le)", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml", "template": {"name": "audit_file_contents", "vars": {"filepath": "/etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules", "contents": "## Unsuccessful file delete\n-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete\n-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete"}, "backends": {}}}