Profile Applicability:
• Level 2
Description:
Tracking file deletion events provides visibility into potential unauthorized removal of files, which could indicate malicious activity or accidental data loss. Collecting these events aids in forensic investigations and helps maintain data integrity.
Rationale:
Auditing file deletions helps detect suspicious or unauthorized actions, enabling timely response to protect system and data security.
Impact:
Pros:
Provides accountability for file deletion activities.
Supports detection of data tampering or sabotage.
Cons:
May generate significant audit log data; requires effective log management.
Default Value:
Audit rules for file deletion events may not be enabled by default.
Pre-requisites:
Root or sudo privileges to configure audit rules.
Remediation:
Test Plan:
Using Linux command line:
Check existing audit rules for file deletions
auditctl -l | grep unlink
Verify audit rules monitor syscalls such as unlink, unlinkat, rename, and renameat.
Implementation Plan:
Using Linux command line:
Add audit rules to log file deletion syscalls:
auditctl -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -k delete auditctl -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -k delete
Persist rules by adding them to /etc/audit/rules.d/audit.rules.
Backout Plan:
Using Linux command line:
Remove or disable file deletion audit rules if necessary:
auditctl -d always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -k delete auditctl -d always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -k delete
Reload audit daemon configuration.
References:
CIS Amazon Linux 2 Benchmark v3.0.0