{"description": "At a minimum the audit system should collect file deletion events\nfor all users and root. If the <tt>auditd</tt> daemon is configured to use the\n<tt>augenrules</tt> program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix <tt>.rules</tt> in the\ndirectory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 for 32-bit\nsystem, or having two lines for both b32 and b64 in case your system is 64-bit:\n<pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat,renameat2 -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following line to\n<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 for 32-bit\nsystem, or having two lines for both b32 and b64 in case your system is 64-bit:\n<pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat2 -S renameat -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>", "rationale": "Auditing file deletions will create an audit trail for files that are removed\nfrom the system. The audit trail could aid in system troubleshooting, as well as, detecting\nmalicious processes that attempt to delete log files to conceal their presence.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8", "9"], "cjis": ["5.4.1.1"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI08.02", "DSS01.03", "DSS01.04", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.1.7"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.6.6", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.13", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.6", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.1", "SR 6.2", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.7", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.2.1", "A.6.2.2"], "nist": ["AU-2(d)", "AU-12(c)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "DE.CM-1", "DE.CM-3", "DE.CM-7", "ID.SC-4", "PR.AC-3", "PR.PT-1", "PR.PT-4", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.2.7"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit calls to the\n<code>rmdir</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"rmdir\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\nTo determine if the system is configured to audit calls to the\n<code>unlink</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"unlink\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\nTo determine if the system is configured to audit calls to the\n<code>unlinkat</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"unlinkat\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\nTo determine if the system is configured to audit calls to the\n<code>rename</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"rename\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\nTo determine if the system is configured to audit calls to the\n<code>renameat</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"renameat\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\nTo determine if the system is configured to audit calls to the\n<code>renameat2</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"renameat2\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule checks for multiple syscalls related to file deletion;\nit was written with DISA STIG in mind. Other policies should use a\nseparate rule for each syscall that needs to be checked. For example:\n<ul>\n<li><tt>audit_rules_file_deletion_events_rmdir</tt></li>\n<li><tt>audit_rules_file_deletion_events_unlink</tt></li>\n<li><tt>audit_rules_file_deletion_events_unlinkat</tt></li>\n<li><tt>audit_rules_file_deletion_events_rename</tt></li>\n<li><tt>audit_rules_file_deletion_events_renameat</tt></li>\n<li><tt>audit_rules_file_deletion_events_renameat2</tt></li>\n</ul>"}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Ensure auditd Collects File Deletion Events by User", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml", "template": null}