Question

2

Why isn't auditd logging file deletes?

rated 0 times [ 2] [ 0] / answers: 1 / hits: 1392 / 2 Years ago, sun, february 13, 2022, 11:50:25

I have auditd installed on 64-bit Ubuntu 12.04 to track down some unexpected deletes (nice discussion of auditd). This is my rule (tagging deletes with the deletes keyword):

-a exit,always -F arch=b64 -S unlink -S rmdir -k deletes

auditctl -l shows that it's configured:

LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=deletes syscall=rmdir,unlink

This works perfectly:

# mkdir xyx

# rmdir xyz

# ausearch -k deletes|grep 'xyz'

type=PATH msg=audit(1406147794.737:1880): item=1 name="xyz" inode=12386307 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00

but this does not:

# touch xyx

# rm xyx

# ausearch -k deletes|grep 'xyz'

I can see that all sorts of other deletes are logged. What am I missing?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

jokaned

Add To Favorites

Follow

Total Points: 315

Total Questions: 116

Total Answers: 119

Location: Somalia

Member since Mon, Feb 27, 2023

1 Year ago

answered 2 Years ago allowiel · Accepted Answer

I was facing the same issue, just found the solution. You will need to use unlinkat as the system call tracing:

-a exit,always -F arch=b64 -S unlink -S rmdir -S unlinkat

because rm isn't using unlink. Thanks theillien for the answer posted here on SuperUser: