The SLES for vRealize audit system must be configured to audit file deletions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-240537 | VRAU-SL-001465 | SV-240537r671352_rule | Medium |
| Description |
|---|
| If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. |
| STIG | Date |
|---|---|
| VMware vRealize Automation 7.x SLES Security Technical Implementation Guide | 2021-06-24 |
Details
| Check Text ( C-43770r671350_chk ) |
|---|
| Check the system audit configuration to determine if file and directory deletions are audited: # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -i "rmdir" If no results are returned, or the results do not contain "-S rmdir", this is a finding. |
| Fix Text (F-43729r671351_fix) |
|---|
| Add the following to "/etc/audit/audit.rules" in order to capture file and directory deletion events: -a always,exit -F arch=b64 -S rmdir -S rm -a always,exit -F arch=b32 -S rmdir -S rm |