documentation_complete: true


title: 'Configure auditing of successful file deletions (AArch64)'

{{% set file_contents_audit_delete_success =
"## Successful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=successful-delete
-a always,exit -F arch=b64 -S unlinkat,renameat -F success=1 -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=successful-delete" %}}

description: |-
    Ensure that successful attempts to delete a file are audited.

    The following rules configure audit as described above:
    <pre>{{{ file_contents_audit_delete_success|indent }}}    </pre>

    Load new Audit rules into kernel by running:
    <pre>augenrules --load</pre>

    Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are aligned with your needs.

rationale: |-
    Auditing of successful attempts to delete a file may help in monitoring and investigation of activities performed on the system.

severity: medium

platforms:
    - aarch64_arch

identifiers:
    cce@rhel9: CCE-85939-7
    cce@rhel10: CCE-88866-9

references:
    nist: AU-2(a)
    ospp: FAU_GEN.1.1.c
    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212

ocil_clause: 'the file does not exist or the content differs'

ocil: |-
    To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:
    <pre>cat /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules</pre>
    The output has to be exactly as follows:
    <pre>{{{ file_contents_audit_delete_success|indent }}}    </pre>

template:
    name: audit_file_contents
    vars:
        filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
        contents: |-
            {{{ file_contents_audit_delete_success|indent(12) }}}

fixtext: |-
    Configure {{{ full_name }}} to audit all successful attempts to delete a file.

    Create file "/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules" with the exactly following content:

    {{{ file_contents_audit_delete_success|indent(4) }}}

    Then, run the following commands:

    $ sudo chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
    $ sudo augenrules --load