Audit for RM commands on Linux systems
[Root@test ~]# Cat/etc/audit/audit.rules
# This file contains the AUDITCTL rules and are loaded
# Whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would to be passed
# to Auditctl.
# The Rule-delete All
-D
# Increase the buffers to survive stress events.
# make this bigger for busy systems
-B 320
# Feel Free to add below this line. Auditctl Mans page
-A exit,always-f arch=b64-s execve-f path=/bin/rm-k RM--New row
[Root@test ~]#
[Root@test ~]# Service AUDITD restart
stopping AUDITD: [OK]
Starting AUDITD: [OK]
[Root@test ~]# Auditctl-l
List_rules:exit,always arch=3221225534 (0xc000003e) watch=/bin/rm key=rm Syscall=execve
[Root@test ~]#
To start the test:
#rm 22.txt
#pwd
[Root@test ~]# Ausearch-k RM
----
time->wed Sep 14 12:22:13 2016
Type=path Msg=audit (1473826933.202:4232482): Item=1 name= (null) inode=3277219 dev=08:05 mode=0100755 ouid=0 ogid=0 =00:00
Type=path Msg=audit (1473826933.202:4232482): item=0 name= "/bin/rm" inode=27918399 dev=08:05 mode=0100755 ouid=0 ogid=0 rdev=00:00
TYPE=CWD Msg=audit (1473826933.202:4232482): cwd= "/root"
Type=execve Msg=audit (1473826933.202:4232482): argc=3 a0= "rm" a1= "I" a2= "22.txt"
Type=syscall Msg=audit (1473826933.202:4232482): arch=c000003e syscall=59 success=yes exit=0 a0=e46e20 a1=e458e0 a2= e18d40 a3=20 items=2 ppid=26701 pid=5248 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=35975 9 comm= "rm" exe= "/BIN/RM" key= "rm"
end of Test: ability to record at what time the files on that directory were deleted by what command.
Recommendation: In the production system it is best to recommend the file system to delete the files of the Recycle Bin, avoid unnecessary losses, just in case.