Skip to content

Commit 9c34ccc

Browse files
jan-cernyjan-cerny
committed
Add renameat2 syscall to audit rules
The audit_file_deletion_events rule checks for the `renameat` syscall. However, there is a similar syscall `renameat2` which should be checked as well. We don't have a rule for it so in this commit we will create a new rule and add `renameat2` syscall everywhere where `renameat` syscall is used.
1 parent 31c5783 commit 9c34ccc

File tree

73 files changed

+167
-18
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

73 files changed

+167
-18
lines changed

components/audit.yml

+1
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,7 @@ rules:
106106
- audit_rules_file_deletion_events
107107
- audit_rules_file_deletion_events_rename
108108
- audit_rules_file_deletion_events_renameat
109+
- audit_rules_file_deletion_events_renameat2
109110
- audit_rules_file_deletion_events_rmdir
110111
- audit_rules_file_deletion_events_unlink
111112
- audit_rules_file_deletion_events_unlinkat

controls/anssi.yml

+1
Original file line numberDiff line numberDiff line change
@@ -1559,6 +1559,7 @@ controls:
15591559

15601560
- audit_rules_file_deletion_events_rename
15611561
- audit_rules_file_deletion_events_renameat
1562+
- audit_rules_file_deletion_events_renameat2
15621563
- audit_rules_file_deletion_events_rmdir
15631564
- audit_rules_file_deletion_events_unlink
15641565
- audit_rules_file_deletion_events_unlinkat

controls/cis_rhel10.yml

+1
Original file line numberDiff line numberDiff line change
@@ -2628,6 +2628,7 @@ controls:
26282628
rules:
26292629
- audit_rules_file_deletion_events_rename
26302630
- audit_rules_file_deletion_events_renameat
2631+
- audit_rules_file_deletion_events_renameat2
26312632
- audit_rules_file_deletion_events_unlink
26322633
- audit_rules_file_deletion_events_unlinkat
26332634

controls/hipaa.yml

+7
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,7 @@ controls:
7171
- audit_rules_execution_setsebool
7272
- audit_rules_file_deletion_events_rename
7373
- audit_rules_file_deletion_events_renameat
74+
- audit_rules_file_deletion_events_renameat2
7475
- audit_rules_file_deletion_events_rmdir
7576
- audit_rules_file_deletion_events_unlink
7677
- audit_rules_file_deletion_events_unlinkat
@@ -236,6 +237,7 @@ controls:
236237
- audit_rules_execution_setsebool
237238
- audit_rules_file_deletion_events_rename
238239
- audit_rules_file_deletion_events_renameat
240+
- audit_rules_file_deletion_events_renameat2
239241
- audit_rules_file_deletion_events_rmdir
240242
- audit_rules_file_deletion_events_unlink
241243
- audit_rules_file_deletion_events_unlinkat
@@ -432,6 +434,7 @@ controls:
432434
- audit_rules_execution_setsebool
433435
- audit_rules_file_deletion_events_rename
434436
- audit_rules_file_deletion_events_renameat
437+
- audit_rules_file_deletion_events_renameat2
435438
- audit_rules_file_deletion_events_rmdir
436439
- audit_rules_file_deletion_events_unlink
437440
- audit_rules_file_deletion_events_unlinkat
@@ -1166,6 +1169,7 @@ controls:
11661169
- audit_rules_execution_setsebool
11671170
- audit_rules_file_deletion_events_rename
11681171
- audit_rules_file_deletion_events_renameat
1172+
- audit_rules_file_deletion_events_renameat2
11691173
- audit_rules_file_deletion_events_rmdir
11701174
- audit_rules_file_deletion_events_unlink
11711175
- audit_rules_file_deletion_events_unlinkat
@@ -1306,6 +1310,7 @@ controls:
13061310
- audit_rules_execution_setsebool
13071311
- audit_rules_file_deletion_events_rename
13081312
- audit_rules_file_deletion_events_renameat
1313+
- audit_rules_file_deletion_events_renameat2
13091314
- audit_rules_file_deletion_events_rmdir
13101315
- audit_rules_file_deletion_events_unlink
13111316
- audit_rules_file_deletion_events_unlinkat
@@ -1476,6 +1481,7 @@ controls:
14761481
- audit_rules_execution_setsebool
14771482
- audit_rules_file_deletion_events_rename
14781483
- audit_rules_file_deletion_events_renameat
1484+
- audit_rules_file_deletion_events_renameat2
14791485
- audit_rules_file_deletion_events_rmdir
14801486
- audit_rules_file_deletion_events_unlink
14811487
- audit_rules_file_deletion_events_unlinkat
@@ -1574,6 +1580,7 @@ controls:
15741580
- audit_rules_execution_setsebool
15751581
- audit_rules_file_deletion_events_rename
15761582
- audit_rules_file_deletion_events_renameat
1583+
- audit_rules_file_deletion_events_renameat2
15771584
- audit_rules_file_deletion_events_rmdir
15781585
- audit_rules_file_deletion_events_unlink
15791586
- audit_rules_file_deletion_events_unlinkat

controls/pcidss_4.yml

+1
Original file line numberDiff line numberDiff line change
@@ -2769,6 +2769,7 @@ controls:
27692769
rules:
27702770
- audit_rules_file_deletion_events_rename
27712771
- audit_rules_file_deletion_events_renameat
2772+
- audit_rules_file_deletion_events_renameat2
27722773
- audit_rules_file_deletion_events_rmdir
27732774
- audit_rules_file_deletion_events_unlink
27742775
- audit_rules_file_deletion_events_unlinkat

controls/srg_gpos/SRG-OS-000037-GPOS-00015.yml

+1
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ controls:
2828
- audit_rules_execution_setsebool
2929
- audit_rules_file_deletion_events_rename
3030
- audit_rules_file_deletion_events_renameat
31+
- audit_rules_file_deletion_events_renameat2
3132
- audit_rules_file_deletion_events_rmdir
3233
- audit_rules_file_deletion_events_unlink
3334
- audit_rules_file_deletion_events_unlinkat

controls/srg_gpos/SRG-OS-000042-GPOS-00020.yml

+1
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ controls:
2626
- audit_rules_execution_setsebool
2727
- audit_rules_file_deletion_events_rename
2828
- audit_rules_file_deletion_events_renameat
29+
- audit_rules_file_deletion_events_renameat2
2930
- audit_rules_file_deletion_events_rmdir
3031
- audit_rules_file_deletion_events_unlink
3132
- audit_rules_file_deletion_events_unlinkat

controls/srg_gpos/SRG-OS-000062-GPOS-00031.yml

+1
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ controls:
2929
- audit_rules_execution_setsebool
3030
- audit_rules_file_deletion_events_rename
3131
- audit_rules_file_deletion_events_renameat
32+
- audit_rules_file_deletion_events_renameat2
3233
- audit_rules_file_deletion_events_rmdir
3334
- audit_rules_file_deletion_events_unlink
3435
- audit_rules_file_deletion_events_unlinkat

controls/srg_gpos/SRG-OS-000392-GPOS-00172.yml

+1
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ controls:
2828
- audit_rules_execution_setsebool
2929
- audit_rules_file_deletion_events_rename
3030
- audit_rules_file_deletion_events_renameat
31+
- audit_rules_file_deletion_events_renameat2
3132
- audit_rules_file_deletion_events_rmdir
3233
- audit_rules_file_deletion_events_unlink
3334
- audit_rules_file_deletion_events_unlinkat

controls/srg_gpos/SRG-OS-000462-GPOS-00206.yml

+1
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ controls:
2828
- audit_rules_execution_setsebool
2929
- audit_rules_file_deletion_events_rename
3030
- audit_rules_file_deletion_events_renameat
31+
- audit_rules_file_deletion_events_renameat2
3132
- audit_rules_file_deletion_events_rmdir
3233
- audit_rules_file_deletion_events_unlink
3334
- audit_rules_file_deletion_events_unlinkat

controls/srg_gpos/SRG-OS-000466-GPOS-00210.yml

+1
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ controls:
1818
- audit_rules_execution_chacl
1919
- audit_rules_file_deletion_events_rename
2020
- audit_rules_file_deletion_events_renameat
21+
- audit_rules_file_deletion_events_renameat2
2122
- audit_rules_file_deletion_events_rmdir
2223
- audit_rules_file_deletion_events_unlink
2324
- audit_rules_file_deletion_events_unlinkat

controls/srg_gpos/SRG-OS-000467-GPOS-00211.yml

+1
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ controls:
77
rules:
88
- audit_rules_file_deletion_events_rename
99
- audit_rules_file_deletion_events_renameat
10+
- audit_rules_file_deletion_events_renameat2
1011
- audit_rules_file_deletion_events_rmdir
1112
- audit_rules_file_deletion_events_unlink
1213
- audit_rules_file_deletion_events_unlinkat

controls/srg_gpos/SRG-OS-000468-GPOS-00212.yml

+1
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ controls:
1212
- audit_rules_execution_chcon
1313
- audit_rules_file_deletion_events_rename
1414
- audit_rules_file_deletion_events_renameat
15+
- audit_rules_file_deletion_events_renameat2
1516
- audit_rules_file_deletion_events_rmdir
1617
- audit_rules_file_deletion_events_unlink
1718
- audit_rules_file_deletion_events_unlinkat

controls/srg_gpos/SRG-OS-000471-GPOS-00215.yml

+1
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ controls:
2828
- audit_rules_execution_setsebool
2929
- audit_rules_file_deletion_events_rename
3030
- audit_rules_file_deletion_events_renameat
31+
- audit_rules_file_deletion_events_renameat2
3132
- audit_rules_file_deletion_events_rmdir
3233
- audit_rules_file_deletion_events_unlink
3334
- audit_rules_file_deletion_events_unlinkat

linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh

+2-2
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,9 @@ do
99
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
1010
OTHER_FILTERS=""
1111
AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
12-
SYSCALL="rmdir unlink unlinkat rename renameat"
12+
SYSCALL="rmdir unlink unlinkat rename renameat renameat2"
1313
KEY="delete"
14-
SYSCALL_GROUPING="rmdir unlink unlinkat rename renameat"
14+
SYSCALL_GROUPING="rmdir unlink unlinkat rename renameat renameat2"
1515
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
1616
{{{ bash_fix_audit_syscall_rule("augenrules", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}
1717
{{{ bash_fix_audit_syscall_rule("auditctl", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}

linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/oval/shared.xml

+1
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@
77
<extend_definition comment="audit unlinkat" definition_ref="audit_rules_file_deletion_events_unlinkat" />
88
<extend_definition comment="audit rename" definition_ref="audit_rules_file_deletion_events_rename" />
99
<extend_definition comment="audit renameat" definition_ref="audit_rules_file_deletion_events_renameat" />
10+
<extend_definition comment="audit renameat2" definition_ref="audit_rules_file_deletion_events_renameat2" />
1011
</criteria>
1112
</definition>
1213

linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml

+6-2
Original file line numberDiff line numberDiff line change
@@ -10,12 +10,12 @@ description: |-
1010
default), add the following line to a file with suffix <tt>.rules</tt> in the
1111
directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 for 32-bit
1212
system, or having two lines for both b32 and b64 in case your system is 64-bit:
13-
<pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid&gt;={{{ auid }}} -F auid!=unset -F key=delete</pre>
13+
<pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat,renameat2 -F auid&gt;={{{ auid }}} -F auid!=unset -F key=delete</pre>
1414
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
1515
utility to read audit rules during daemon startup, add the following line to
1616
<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 for 32-bit
1717
system, or having two lines for both b32 and b64 in case your system is 64-bit:
18-
<pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid&gt;={{{ auid }}} -F auid!=unset -F key=delete</pre>
18+
<pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat2 -S renameat -F auid&gt;={{{ auid }}} -F auid!=unset -F key=delete</pre>
1919
2020
rationale: |-
2121
Auditing file deletions will create an audit trail for files that are removed
@@ -50,6 +50,7 @@ ocil: |-
5050
{{{ ocil_audit_syscall(syscall="unlinkat") }}}
5151
{{{ ocil_audit_syscall(syscall="rename") }}}
5252
{{{ ocil_audit_syscall(syscall="renameat") }}}
53+
{{{ ocil_audit_syscall(syscall="renameat2") }}}
5354
5455
{{{ ocil_clause_entry_audit_syscall() }}}
5556

@@ -62,5 +63,8 @@ warnings:
6263
<li><tt>audit_rules_file_deletion_events_rmdir</tt></li>
6364
<li><tt>audit_rules_file_deletion_events_unlink</tt></li>
6465
<li><tt>audit_rules_file_deletion_events_unlinkat</tt></li>
66+
<li><tt>audit_rules_file_deletion_events_rename</tt></li>
67+
<li><tt>audit_rules_file_deletion_events_renameat</tt></li>
68+
<li><tt>audit_rules_file_deletion_events_renameat2</tt></li>
6569
</ul>
6670

linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/policy/stig/shared.yml

+7-7
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
srg_requirement: |-
2-
{{{ full_name }}} must audit all uses of the rename,unlink,rmdir,renameat, and unlinkat system calls.
2+
{{{ full_name }}} must audit all uses of the rename,unlink,rmdir,renameat,renameat2 and unlinkat system calls.
33
44
vuldiscussion: |-
55
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
@@ -11,19 +11,19 @@ vuldiscussion: |-
1111
The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
1212
1313
checktext: |-
14-
Verify that {{{ full_name }}} is configured to audit successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls with the following command:
14+
Verify that {{{ full_name }}} is configured to audit successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", "renameat2", and "unlinkat" system calls with the following command:
1515
1616
$ sudo auditctl -l | grep 'rename\|unlink\|rmdir'
1717
18-
-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid&gt;={{{ uid_min }}} -F auid!=unset -k delete
19-
-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid&gt;={{{ uid_min }}} -F auid!=unset -k delete
18+
-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,renameat2,unlinkat -F auid&gt;={{{ uid_min }}} -F auid!=unset -k delete
19+
-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,renameat2,unlinkat -F auid&gt;={{{ uid_min }}} -F auid!=unset -k delete
2020
2121
If the command does not return an audit rule for "rename", "unlink", "rmdir", "renameat", and "unlinkat" or any of the lines returned are commented out, this is a finding.
2222
2323
fixtext: |-
24-
Configure {{{ full_name }}} to generate an audit event for any successful/unsuccessful use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
24+
Configure {{{ full_name }}} to generate an audit event for any successful/unsuccessful use of the "rename", "unlink", "rmdir", "renameat", "renameat2", and "unlinkat" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
2525
26-
-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid&gt;={{{ uid_min }}} -F auid!=unset -k delete
27-
-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid&gt;={{{ uid_min }}} -F auid!=unset -k delete
26+
-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,renameat2,unlinkat -F auid&gt;={{{ uid_min }}} -F auid!=unset -k delete
27+
-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,renameat2,unlinkat -F auid&gt;={{{ uid_min }}} -F auid!=unset -k delete
2828
2929
The audit daemon must be restarted for the changes to take effect.

linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml

+1
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,7 @@ template:
7070
- unlinkat
7171
- rename
7272
- renameat
73+
- renameat2
7374
- rmdir
7475

7576
fixtext: |-

linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml

+1
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,7 @@ template:
6767
- unlinkat
6868
- rename
6969
- renameat
70+
- renameat2
7071
- rmdir
7172
fixtext: |-
7273
{{{ fixtext_audit_rules_file_deletion_events("renameat") | indent(4) }}}

linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat2/policy/stig/shared.yml

+25
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
srg_requirement: |-
2+
Successful/unsuccessful uses of the renameat2 system call in {{{ full_name }}} must generate an audit record.
3+
4+
vuldiscussion: |-
5+
Auditing file deletions will create an audit trail for files that are removed
6+
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
7+
malicious processes that attempt to delete log files to conceal their presence.
8+
9+
checktext: |-
10+
To determine if the system is configured to audit calls to the
11+
renameat2 system call, run the following command:
12+
$ sudo grep "renameat2" /etc/audit/audit.*
13+
If the system is configured to audit this activity, it will return a line.
14+
15+
16+
If no line is returned, then this is a finding.
17+
18+
fixtext: |-
19+
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "renameat2" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
20+
-a always,exit -F arch=b32 -S renameat2 -F auid>={{{ uid_min }}} -F auid!=unset -k delete
21+
-a always,exit -F arch=b64 -S renameat2 -F auid>={{{ uid_min }}} -F auid!=unset -k delete
22+
23+
It's allowed to group this system call within the same line as "rename", "unlink", "rmdir", "renameat2", and "unlinkat".
24+
25+
The audit daemon must be restarted for the changes to take effect.

linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat2/rule.yml

+50
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
documentation_complete: true
2+
3+
title: 'Ensure auditd Collects File Deletion Events by User - renameat2'
4+
5+
description: |-
6+
At a minimum, the audit system should collect file deletion events
7+
for all users and root. If the <tt>auditd</tt> daemon is configured to use the
8+
<tt>augenrules</tt> program to read audit rules during daemon startup (the
9+
default), add the following line to a file with suffix <tt>.rules</tt> in the
10+
directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 for 32-bit
11+
system, or having two lines for both b32 and b64 in case your system is 64-bit:
12+
<pre>-a always,exit -F arch=ARCH -S renameat2 -F auid&gt;={{{ auid }}} -F auid!=unset -F key=delete</pre>
13+
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
14+
utility to read audit rules during daemon startup, add the following line to
15+
<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 for 32-bit
16+
system, or having two lines for both b32 and b64 in case your system is 64-bit:
17+
<pre>-a always,exit -F arch=ARCH -S renameat2 -F auid&gt;={{{ auid }}} -F auid!=unset -F key=delete</pre>
18+
19+
rationale: |-
20+
Auditing file deletions will create an audit trail for files that are removed
21+
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
22+
malicious processes that attempt to delete log files to conceal their presence.
23+
24+
severity: medium
25+
26+
identifiers:
27+
cce@rhel10: CCE-86188-0
28+
29+
references:
30+
disa: CCI-000172,CCI-000130,CCI-000135,CCI-000169,CCI-002884
31+
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270
32+
33+
34+
{{{ complete_ocil_entry_audit_syscall(syscall="renameat2") }}}
35+
36+
template:
37+
name: audit_rules_file_deletion_events
38+
vars:
39+
name: renameat2
40+
syscall_grouping:
41+
- unlink
42+
- unlinkat
43+
- rename
44+
- renameat
45+
- renameat2
46+
- rmdir
47+
fixtext: |-
48+
{{{ fixtext_audit_rules_file_deletion_events("renameat2") | indent(4) }}}
49+
50+
srg_requirement: '{{{ srg_requirement_audit_syscall("renameat2") }}}'

linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat2/tests/ocp4/e2e.yml

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
---
2+
default_result: FAIL
3+
result_after_remediation: PASS

linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/policy/stig/shared.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,6 @@ fixtext: |-
2020
-a always,exit -F arch=b32 -S rmdir -F auid>={{{ uid_min }}} -F auid!=unset -k delete
2121
-a always,exit -F arch=b64 -S rmdir -F auid>={{{ uid_min }}} -F auid!=unset -k delete
2222
23-
It's allowed to group this system call within the same line as "rename", "unlink", "rmdir", "renameat", and "unlinkat".
23+
It's allowed to group this system call within the same line as "rename", "unlink", "rmdir", "renameat", "renameat2", and "unlinkat".
2424
2525
The audit daemon must be restarted for the changes to take effect.

linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml

+1
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,7 @@ template:
6464
- unlinkat
6565
- rename
6666
- renameat
67+
- renameat2
6768
- rmdir
6869

6970
fixtext: |-

linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/policy/stig/shared.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,6 @@ fixtext: |-
2020
-a always,exit -F arch=b32 -S unlink -F auid>={{{ uid_min }}} -F auid!=unset -k delete
2121
-a always,exit -F arch=b64 -S unlink -F auid>={{{ uid_min }}} -F auid!=unset -k delete
2222
23-
It's allowed to group this system call within the same line as "rename", "unlink", "rmdir", "renameat", and "unlinkat".
23+
It's allowed to group this system call within the same line as "rename", "unlink", "rmdir", "renameat", "renameat2" and "unlinkat".
2424
2525
The audit daemon must be restarted for the changes to take effect.

linux_os/guide/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml

+1
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,7 @@ template:
7070
- unlinkat
7171
- rename
7272
- renameat
73+
- renameat2
7374
- rmdir
7475

7576
fixtext: |-

0 commit comments

Comments
 (0)