Differences

This shows you the differences between two versions of the page.

Link to this comparison view

centos7:4:1:14 [2017/05/04 16:13] (current)
Line 1: Line 1:
 +====== 4.1.14 Ensure file deletion events by users are collected (Scored) ====== 
 +=====Profile Applicability===== ​  
 +<​code>​ 
 +Level 2 - Server  
 +Level 2 - Workstation 
 +</​code>​ 
 +=====Description===== 
 +Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the ''​unlink''​ (remove a file), ''​unlinkat''​ (remove a file attribute), ''​rename''​ (rename a file) and ''​renameat''​ (rename a file attribute) system calls and tags them with the identifier "​delete"​. 
 +=====Rationale===== 
 +Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. 
 +=====Audit=====  
 +On a 32 bit system run the following command and verify the output matches: 
 +<​Code:​bash>​ 
 +# grep delete /​etc/​audit/​audit.rules  
 +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>​=1000 -F auid!=4294967295 -k delete 
 +</​Code>​ 
 +On a 64 bit system run the following command and verify the output matches: 
 +<​Code:​bash>​ 
 +# grep delete /​etc/​audit/​audit.rules  
 +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>​=1000 -F auid!=4294967295 -k delete  
 +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>​=1000 -F auid!=4294967295 -k delete 
 +</​Code>​ 
 +=====Remediation=====  
 +For 32 bit systems add the following lines to the ''/​etc/​audit/​audit.rules''​ file: 
 +<​Code:​bash>​ 
 +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>​=1000 -F auid!=4294967295 -k delete 
 +</​Code>​ 
 +For 64 bit systems add the following lines to the ''/​etc/​audit/​audit.rules''​ file: 
 +<​Code:​bash>​ 
 +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>​=1000 -F auid!=4294967295 -k delete  
 +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>​=1000 -F auid!=4294967295 -k delete 
 +</​Code>​ 
 +=====Notes=====  
 +At a minimum, configure the audit system to collect file deletion events for all users and root.