0

I have auditd installed on 64-bit Ubuntu 12.04 to track down some unexpected deletes (nice discussion of auditd). This is my rule (tagging deletes with the deletes keyword):

-a exit,always -F arch=b64 -S unlink -S rmdir -k deletes

auditctl -l shows that it's configured:

LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=deletes syscall=rmdir,unlink

This works perfectly:

# mkdir xyx
# rmdir xyz
# ausearch -k deletes|grep 'xyz'
type=PATH msg=audit(1406147794.737:1880): item=1 name="xyz" inode=12386307 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00

but this does not:

# touch xyx
# rm xyx
# ausearch -k deletes|grep 'xyz'

I can see that all sorts of other deletes are logged. What am I missing?

Synchro
  • 147

2 Answers2

2

I was facing the same issue, just found the solution. You will need to use unlinkat as the system call tracing:

-a exit,always -F arch=b64 -S unlink -S rmdir -S unlinkat

because rm isn't using unlink. Thanks theillien for the answer posted here on SuperUser:

sylye
  • 136
0

If this

 -a exit,always -F arch=b64 -S unlink -S rmdir -k deletes

is your command where do you tell it to log rm? I would assume it would log rmdir and not log rm at all (as shown by your 2 examples it seems the case).

Looking at the auditd lay-out I would assume you need something like:

-a exit,always -F arch=b64 -S unlink -S rm -S rmdir -k delete
Rinzwind
  • 299,756
  • It doesn't connect to the rm binary, it's connecting to the unlink system call, which is what rm uses, along with anything else that deletes a file, such as the PHP unlink function. There isn't an rm system call. – Synchro Jul 24 '14 at 10:11