CCE-92927-3Platform: cpe:/o:ubuntu:ubuntu_linux:19.04 | Date: (C)2019-11-07 (M)2023-07-04 |
Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier delete.
Rationale:
Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered.
Parameter:
[yes/no]
Technical Mechanism:
At a minimum, configure the audit system to collect file deletion events for all users and root.
For 64 bit systems, add the following to the /etc/audit/audit.rules file.
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \
-F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \
-F auid!=4294967295 -k delete
# Execute the following command to restart auditd
# pkill -HUP -P 1 auditd
For 32 bit systems, add the following to the /etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \
-F auid!=4294967295 -k delete
# Execute the following command to restart auditd
# pkill -P 1-HUP auditd
CCSS Severity: | CCSS Metrics: |
CCSS Score : 4.4 | Attack Vector: LOCAL |
Exploit Score: 1.8 | Attack Complexity: LOW |
Impact Score: 2.5 | Privileges Required: LOW |
Severity: MEDIUM | User Interaction: NONE |
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L | Scope: UNCHANGED |
| Confidentiality: LOW |
| Integrity: NONE |
| Availability: LOW |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:55140 |