← Rules Catalog
mediumauditverified ✓✓rollback-safe

Audit file deletions and renames (Ubuntu)

audit-syscall-file-deletion · UBUNTU ≥ 22 · 1 impl

Description

The system must generate an audit record for file deletions and renames so that the responsible user can be identified.

Rationale

Auditing these system calls supports detection of unauthorized changes and forensic reconstruction of events.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete
Remediateaudit_rule_set
rule:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k delete
persist_file:
/etc/audit/rules.d/50-syscall-file-deletion.rules

Framework references

STIG

V-270809 / UBTU-24-900540V-260639 / UBTU-22-654185

NIST 800-53

AU-2AU-12

Live verification

ubuntu22:checkubuntu24:checkubuntu24:remediate
#audit#auditd#syscall