Add syscall rmdir to audit.rules

2025-07-31 01:24:58 +02:00 · 2018-10-22 03:03:21 +08:00 · 2018-10-22 03:03:21 +08:00 · 1bce989b10
commit 1bce989b10
parent 408896bdfd
1 changed files with 2 additions and 2 deletions
--- a/bin/hardening/8.1.14_record_file_deletions.sh
+++ b/bin/hardening/8.1.14_record_file_deletions.sh
@ -13,8 +13,8 @@ set -u # One variable unset, it's over

 HARDENING_LEVEL=4

-AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
+AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
+-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
 FILE='/etc/audit/audit.rules'

 # This function will be called if the script status is on enabled / audit mode