mediumauditverified ✓rollback-safe
Ensure file deletion events by users are collected
audit-delete · RHEL ≥ 8 · 1 impl
Description
File deletion events must be collected to detect unauthorized data destruction.
Rationale
Without auditing these events, malicious activity could go undetected, compromising forensic capabilities.
Check → Remediate
Checkcommand
auditctl -l 2>/dev/null | grep -E '(-k|key=)delete([[:space:]]|$)' | grep -q -- '-S [a-z0-9,]*unlink'
- expected_exit:
- 0
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=unset -k delete
- persist_file:
- /etc/audit/rules.d/50-delete.rules
Framework references
CIS
rhel9 6.3.3.13rhel8 6.3.3.13
STIG
V-281165 / RHEL-10-500810V-258187 / RHEL-09-654065V-230439
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd