{"description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If the <tt>auditd</tt> daemon is configured to use the\n<tt>augenrules</tt> program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix <tt>.rules</tt> in the\ndirectory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 for 32-bit\nsystem, or having two lines for both b32 and b64 in case your system is 64-bit:\n<pre>-a always,exit -F arch=ARCH -S unlinkat -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following line to\n<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 for 32-bit\nsystem, or having two lines for both b32 and b64 in case your system is 64-bit:\n<pre>-a always,exit -F arch=ARCH -S unlinkat -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>", "rationale": "Auditing file deletions will create an audit trail for files that are removed\nfrom the system. The audit trail could aid in system troubleshooting, as well as, detecting\nmalicious processes that attempt to delete log files to conceal their presence.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8", "9"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI08.02", "DSS01.03", "DSS01.04", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.1.7"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)(ii)(A)", "164.308(a)(5)(ii)(C)", "164.312(a)(2)(i)", "164.312(b)", "164.312(d)", "164.312(e)"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.13", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.6", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.1", "SR 6.2", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.4", "A.11.2.6", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.7", "A.15.1.1", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.2.1", "A.6.2.2"], "nist": ["AU-2(d)", "AU-12(c)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "DE.CM-1", "DE.CM-3", "DE.CM-7", "ID.SC-4", "PR.AC-3", "PR.MA-2", "PR.PT-1", "PR.PT-4", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.2.7"], "srg": ["SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", "SRG-OS-000062-GPOS-00031", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215", "SRG-OS-000466-GPOS-00210", "SRG-OS-000467-GPOS-00211", "SRG-OS-000468-GPOS-00212", "SRG-APP-000495-CTR-001235", "SRG-APP-000499-CTR-001255", "SRG-APP-000501-CTR-001265", "SRG-APP-000502-CTR-001270"], "anssi": ["R73"], "cis": ["6.3.3.13"], "pcidss4": ["10.2.1.7", "10.2.1", "10.2"], "stigid": ["UBTU-22-654185"], "stigref": ["SV-260639r991577_rule"]}, "control_references": {"anssi": ["R73"], "cis": ["6.3.3.13"], "pcidss4": ["10.2.1.7", "10.2.1", "10.2"], "stigid": ["UBTU-22-654185"]}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit calls to the\n<code>unlinkat</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"unlinkat\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\n", "oval_external_content": null, "fixtext": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"unlinkat\" system call by adding or updating the following rules in \"/etc/audit/audit.rules\" and adding the following rules to \"/etc/audit/rules.d/delete.rules\" or updating the existing rules in files in the \"/etc/audit/rules.d/\" directory:\n\n\n-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -k delete\n-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -k delete\nIt's allowed to group this system call within the same line as \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\".\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Successful/unsuccessful uses of the unlinkat system call in Ubuntu 22.04 must generate an audit record.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Successful/unsuccessful uses of the unlinkat system call in Ubuntu 22.04 must generate an audit record.", "vuldiscussion": "Auditing file deletions will create an audit trail for files that are removed\nfrom the system. The audit trail could aid in system troubleshooting, as well as, detecting\nmalicious processes that attempt to delete log files to conceal their presence.", "checktext": "To determine if the system is configured to audit calls to the\n unlinkat  system call, run the following command:\n $ sudo grep \"unlinkat\" /etc/audit/audit.*\nIf the system is configured to audit this activity, it will return a line.\n\n\nIf no line is returned, then this is a finding.", "fixtext": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"unlinkat\" system call by adding or updating the following rules in the \"/etc/audit/rules.d/audit.rules\" file:\n-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -k delete\n-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -k delete\n\nIt's allowed to group this system call within the same line as \"rename\", \"unlink\", \"rmdir\", \"renameat\", \"renameat2\" and \"unlinkat\".\n\nThe audit daemon must be restarted for the changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Ensure auditd Collects File Deletion Events by User - unlinkat", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml", "template": {"name": "audit_rules_file_deletion_events", "vars": {"name": "unlinkat", "syscall_grouping": ["unlink", "unlinkat", "rename", "renameat", "renameat2", "rmdir"]}, "backends": {}}}