documentation_complete: true

title: 'Record File Deletion Events by User'

description: |-
    At a minimum, the audit system should collect file deletion events
    for all users and root. If the <tt>auditd</tt> daemon is configured to use the
    <tt>augenrules</tt> program to read audit rules during daemon startup (the
    default), add the following line to a file with suffix <tt>.rules</tt> in the
    directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 for 32-bit
    system, or having two lines for both b32 and b64 in case your system is 64-bit:
    <pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat,renameat2 -F auid&gt;={{{ auid }}} -F auid!=unset -F key=delete</pre>
    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
    utility to read audit rules during daemon startup, add the following line to
    <tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 for 32-bit
    system, or having two lines for both b32 and b64 in case your system is 64-bit:
    <pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat,renameat2 -F auid&gt;={{{ auid }}} -F auid!=unset -F key=delete</pre>