ComplianceAsCode · Mab879 · Mar 20, 2025 · Mar 13, 2025 · Mar 14, 2025
diff --git a/components/audit.yml b/components/audit.yml
@@ -106,6 +106,7 @@ rules:
 - audit_rules_file_deletion_events
 - audit_rules_file_deletion_events_rename
 - audit_rules_file_deletion_events_renameat
+- audit_rules_file_deletion_events_renameat2
 - audit_rules_file_deletion_events_rmdir
 - audit_rules_file_deletion_events_unlink
 - audit_rules_file_deletion_events_unlinkat

diff --git a/controls/anssi.yml b/controls/anssi.yml
@@ -1559,6 +1559,7 @@ controls:
 
     - audit_rules_file_deletion_events_rename
     - audit_rules_file_deletion_events_renameat
+    - audit_rules_file_deletion_events_renameat2
     - audit_rules_file_deletion_events_rmdir
     - audit_rules_file_deletion_events_unlink
     - audit_rules_file_deletion_events_unlinkat

diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml
@@ -2628,6 +2628,7 @@ controls:
     rules:
       - audit_rules_file_deletion_events_rename
       - audit_rules_file_deletion_events_renameat
+      - audit_rules_file_deletion_events_renameat2
       - audit_rules_file_deletion_events_unlink
       - audit_rules_file_deletion_events_unlinkat
 

diff --git a/controls/hipaa.yml b/controls/hipaa.yml
@@ -71,6 +71,7 @@ controls:
             - audit_rules_execution_setsebool
             - audit_rules_file_deletion_events_rename
             - audit_rules_file_deletion_events_renameat
+            - audit_rules_file_deletion_events_renameat2
             - audit_rules_file_deletion_events_rmdir
             - audit_rules_file_deletion_events_unlink
             - audit_rules_file_deletion_events_unlinkat
@@ -236,6 +237,7 @@ controls:
             - audit_rules_execution_setsebool
             - audit_rules_file_deletion_events_rename
             - audit_rules_file_deletion_events_renameat
+            - audit_rules_file_deletion_events_renameat2
             - audit_rules_file_deletion_events_rmdir
             - audit_rules_file_deletion_events_unlink
             - audit_rules_file_deletion_events_unlinkat
@@ -432,6 +434,7 @@ controls:
             - audit_rules_execution_setsebool
             - audit_rules_file_deletion_events_rename
             - audit_rules_file_deletion_events_renameat
+            - audit_rules_file_deletion_events_renameat2
             - audit_rules_file_deletion_events_rmdir
             - audit_rules_file_deletion_events_unlink
             - audit_rules_file_deletion_events_unlinkat
@@ -1166,6 +1169,7 @@ controls:
             - audit_rules_execution_setsebool
             - audit_rules_file_deletion_events_rename
             - audit_rules_file_deletion_events_renameat
+            - audit_rules_file_deletion_events_renameat2
             - audit_rules_file_deletion_events_rmdir
             - audit_rules_file_deletion_events_unlink
             - audit_rules_file_deletion_events_unlinkat
@@ -1306,6 +1310,7 @@ controls:
             - audit_rules_execution_setsebool
             - audit_rules_file_deletion_events_rename
             - audit_rules_file_deletion_events_renameat
+            - audit_rules_file_deletion_events_renameat2
             - audit_rules_file_deletion_events_rmdir
             - audit_rules_file_deletion_events_unlink
             - audit_rules_file_deletion_events_unlinkat
@@ -1476,6 +1481,7 @@ controls:
             - audit_rules_execution_setsebool
             - audit_rules_file_deletion_events_rename
             - audit_rules_file_deletion_events_renameat
+            -
10000
 audit_rules_file_deletion_events_renameat2
             - audit_rules_file_deletion_events_rmdir
             - audit_rules_file_deletion_events_unlink
             - audit_rules_file_deletion_events_unlinkat
@@ -1574,6 +1580,7 @@ controls:
             - audit_rules_execution_setsebool
             - audit_rules_file_deletion_events_rename
             - audit_rules_file_deletion_events_renameat
+            - audit_rules_file_deletion_events_renameat2
             - audit_rules_file_deletion_events_rmdir
             - audit_rules_file_deletion_events_unlink
             - audit_rules_file_deletion_events_unlinkat

diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml
@@ -2769,6 +2769,7 @@ controls:
         rules:
           - audit_rules_file_deletion_events_rename
           - audit_rules_file_deletion_events_renameat
+          - audit_rules_file_deletion_events_renameat2
           - audit_rules_file_deletion_events_rmdir
           - audit_rules_file_deletion_events_unlink
           - audit_rules_file_deletion_events_unlinkat

diff --git a/controls/srg_gpos/SRG-OS-000037-GPOS-00015.yml b/controls/srg_gpos/SRG-OS-000037-GPOS-00015.yml
@@ -28,6 +28,7 @@ controls:
             - audit_rules_execution_setsebool
             - audit_rules_file_deletion_events_rename
             - audit_rules_file_deletion_events_renameat
+            - audit_rules_file_deletion_events_renameat2
             - audit_rules_file_deletion_events_rmdir
             - audit_rules_file_deletion_events_unlink
             - audit_rules_file_deletion_events_unlinkat

diff --git a/controls/srg_gpos/SRG-OS-000042-GPOS-00020.yml b/controls/srg_gpos/SRG-OS-000042-GPOS-00020.yml
@@ -26,6 +26,7 @@ controls:
             - audit_rules_execution_setsebool
             - audit_rules_file_deletion_events_rename
             - audit_rules_file_deletion_events_renameat
+            - audit_rules_file_deletion_events_renameat2
             - audit_rules_file_deletion_events_rmdir
             - audit_rules_file_deletion_events_unlink
             - audit_rules_file_deletion_events_unlinkat

diff --git a/controls/srg_gpos/SRG-OS-000062-GPOS-00031.yml b/controls/srg_gpos/SRG-OS-000062-GPOS-00031.yml
@@ -29,6 +29,7 @@ controls:
             - audit_rules_execution_setsebool
             - audit_rules_file_deletion_events_rename
             - audit_rules_file_deletion_events_renameat
+            - audit_rules_file_deletion_events_renameat2
             - audit_rules_file_deletion_events_rmdir
             - audit_rules_file_deletion_events_unlink
             - audit_rules_file_deletion_events_unlinkat

diff --git a/controls/srg_gpos/SRG-OS-000392-GPOS-00172.yml b/controls/srg_gpos/SRG-OS-000392-GPOS-00172.yml
@@ -28,6 +28,7 @@ controls:
             - audit_rules_execution_setsebool
             - audit_rules_file_deletion_events_rename
             - audit_rules_file_deletion_events_renameat
+            - audit_rules_file_deletion_events_renameat2
             - audit_rules_file_deletion_events_rmdir
             - audit_rules_file_deletion_events_unlink
             - audit_rules_file_deletion_events_unlinkat

diff --git a/controls/srg_gpos/SRG-OS-000462-GPOS-00206.yml b/controls/srg_gpos/SRG-OS-000462-GPOS-00206.yml
@@ -28,6 +28,7 @@ controls:
             - audit_rules_execution_setsebool
             - audit_rules_file_deletion_events_rename
             - audit_rules_file_deletion_events_renameat
+            - audit_rules_file_deletion_events_renameat2
             - audit_rules_file_deletion_events_rmdir
             - audit_rules_file_deletion_events_unlink
             - audit_rules_file_deletion_events_unlinkat

diff --git a/controls/srg_gpos/SRG-OS-000466-GPOS-00210.yml b/controls/srg_gpos/SRG-OS-000466-GPOS-00210.yml
@@ -18,6 +18,7 @@ controls:
             - audit_rules_execution_chacl
             - audit_rules_file_deletion_events_rename
             - audit_rules_file_deletion_events_renameat
+            - audit_rules_file_deletion_events_renameat2
             - audit_rules_file_deletion_events_rmdir
             - audit_rules_file_deletion_events_unlink
             - audit_rules_file_deletion_events_unlinkat

diff --git a/controls/srg_gpos/SRG-OS-000467-GPOS-00211.yml b/controls/srg_gpos/SRG-OS-000467-GPOS-00211.yml
@@ -7,6 +7,7 @@ controls:
         rules:
             - audit_rules_file_deletion_events_rename
             - audit_rules_file_deletion_events_renameat
+            - audit_rules_file_deletion_events_renameat2
             - audit_rules_file_deletion_events_rmdir
             - audit_rules_file_deletion_events_unlink
             - audit_rules_file_deletion_events_unlinkat

diff --git a/controls/srg_gpos/SRG-OS-000468-GPOS-00212.yml b/controls/srg_gpos/SRG-OS-000468-GPOS-00212.yml
@@ -12,6 +12,7 @@ controls:
             - audit_rules_execution_chcon
             - audit_rules_file_deletion_events_rename
             - audit_rules_file_deletion_events_renameat
+            - audit_rules_file_deletion_events_renameat2
             - audit_rules_file_deletion_events_rmdir
             - audit_rules_file_deletion_events_unlink
             - audit_rules_file_deletion_events_unlinkat

diff --git a/controls/srg_gpos/SRG-OS-000471-GPOS-00215.yml b/controls/srg_gpos/SRG-OS-000471-GPOS-00215.yml
@@ -28,6 +28,7 @@ controls:
             - audit_rules_execution_setsebool
             - audit_rules_file_deletion_events_rename
             - audit_rules_file_deletion_events_renameat
+            - audit_rules_file_deletion_events_renameat2
             - audit_rules_file_deletion_events_rmdir
             - audit_rules_file_deletion_events_unlink
             - audit_rules_file_deletion_events_unlinkat

diff --git a/...onfigure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh b/...onfigure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/bash/shared.sh
@@ -9,9 +9,9 @@ do
 	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
 	OTHER_FILTERS=""
 	AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset"
-	SYSCALL="rmdir unlink unlinkat rename renameat"
+	SYSCALL="rmdir unlink unlinkat rename renameat renameat2"
 	KEY="delete"
-	SYSCALL_GROUPING="rmdir unlink unlinkat rename renameat"
+	SYSCALL_GROUPING="rmdir unlink unlinkat rename renameat renameat2"
 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 	{{{ bash_fix_audit_syscall_rule("augenrules", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}
 	{{{ bash_fix_audit_syscall_rule("auditctl", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}

diff --git a/...nfigure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/oval/shared.xml b/...nfigure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/oval/shared.xml
@@ -7,6 +7,7 @@
       <extend_definition comment="audit unlinkat" definition_ref="audit_rules_file_deletion_events_unlinkat" />
       <extend_definition comment="audit rename" definition_ref="audit_rules_file_deletion_events_rename" />
       <extend_definition comment="audit renameat" definition_ref="audit_rules_file_deletion_events_renameat" />
+      <extend_definition comment="audit renameat2" definition_ref="audit_rules_file_deletion_events_renameat2" />
     </criteria>
   </definition>
 

diff --git a/...ditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/...ditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
@@ -8,14 +8,14 @@ description: |-
     for all users and root. If the <tt>auditd</tt> daemon is configured to use the
     <tt>augenrules</tt> program to read audit rules during daemon startup (the
     default), add the following line to a file with suffix <tt>.rules</tt> in the
-    directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-    appropriate for your system:
-    <pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid&gt;={{{ auid }}} -F auid!=unset -F key=delete</pre>
+    directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 for 32-bit
+    system, or having two lines for both b32 and b64 in case your system is 64-bit:
+    <pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat,renameat2 -F auid&gt;={{{ auid }}} -F auid!=unset -F key=delete</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following line to
-    <tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-    appropriate for your system:
-    <pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid&gt;={{{ auid }}} -F auid!=unset -F key=delete</pre>
+    <tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 for 32-bit
+    system, or having two lines for both b32 and b64 in case your system is 64-bit:
+    <pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat2 -S renameat -F auid&gt;={{{ auid }}} -F auid!=unset -F key=delete</pre>
 
 rationale: |-
     Auditing file deletions will create an audit trail for files that are removed
@@ -50,6 +50,7 @@ ocil: |-
     {{{ ocil_audit_syscall(syscall="unlinkat") }}}
     {{{ ocil_audit_syscall(syscall="rename") }}}
     {{{ ocil_audit_syscall(syscall="renameat") }}}
+    {{{ ocil_audit_syscall(syscall="renameat2") }}}
 
 {{{ ocil_clause_entry_audit_syscall() }}}
 
@@ -62,5 +63,8 @@ warnings:
         <li><tt>audit_rules_file_deletion_events_rmdir</tt></li>
         <li><tt>audit_rules_file_deletion_events_unlink</tt></li>
         <li><tt>audit_rules_file_deletion_events_unlinkat</tt></li>
+        <li><tt>audit_rules_file_deletion_events_rename</tt></li>
+        <li><tt>audit_rules_file_deletion_events_renameat</tt></li>
+        <li><tt>audit_rules_file_deletion_events_renameat2</tt></li>
         </ul>
 
diff --git a/...audit_file_deletion_events/audit_rules_file_deletion_events_rename/policy/stig/shared.yml b/...audit_file_deletion_events/audit_rules_file_deletion_events_rename/policy/stig/shared.yml
@@ -1,5 +1,5 @@
 srg_requirement: |-
-    {{{ full_name }}} must audit all uses of the rename,unlink,rmdir,renameat, and unlinkat system calls.
+    {{{ full_name }}} must audit all uses of the rename,unlink,rmdir,renameat,renameat2 and unlinkat system calls.
 
 vuldiscussion: |-
     Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
@@ -11,19 +11,19 @@ vuldiscussion: |-
     The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
 
 checktext: |-
-    Verify that {{{ full_name }}} is configured to audit successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls with the following command:
+    Verify that {{{ full_name }}} is configured to audit successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", "renameat2", and "unlinkat" system calls with the following command:
 
     $ sudo auditctl -l | grep 'rename\|unlink\|rmdir'
 
-    -a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid&gt;={{{ uid_min }}} -F auid!=unset -k delete
-    -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid&gt;={{{ uid_min }}} -F auid!=unset -k delete
+    -a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,renameat2,unlinkat -F auid&gt;={{{ uid_min }}} -F auid!=unset -k delete
+    -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,renameat2,unlinkat -F auid&gt;={{{ uid_min }}} -F auid!=unset -k delete
 
     If the command does not return an audit rule for "rename", "unlink", "rmdir", "renameat", and "unlinkat" or any of the lines returned are commented out, this is a finding.
 
 fixtext: |-
-    Configure {{{ full_name }}} to generate an audit event for any successful/unsuccessful use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
+    Configure {{{ full_name }}} to generate an audit event for any successful/unsuccessful use of the "rename", "unlink", "rmdir", "renameat", "renameat2", and "unlinkat" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
 
-    -a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid&gt;={{{ uid_min }}} -F auid!=unset -k delete
-    -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid&gt;={{{ uid_min }}} -F auid!=unset -k delete
+    -a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,renameat2,unlinkat -F auid&gt;={{{ uid_min }}} -F auid!=unset -k delete
+    -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,renameat2,unlinkat -F auid&gt;={{{ uid_min }}} -F auid!=unset -k delete
 
     The audit daemon must be restarted for the changes to take effect.
diff --git a/...nfigure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/...nfigure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
@@ -7,13 +7,13 @@ description: |-
     for all users and root. If the <tt>auditd</tt> daemon is configured to use the
     <tt>augenrules</tt> program to read audit rules during daemon startup (the
     default), add the following line to a file with suffix <tt>.rules</tt> in the
-    directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-    appropriate for your system:
+    directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 for 32-bit
+    system, or having two lines for both b32 and b64 in case your system is 64-bit:
     <pre>-a always,exit -F arch=ARCH -S rename -F auid&gt;={{{ auid }}} -F auid!=unset -F key=delete</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following line to
-    <tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-    appropriate for your system:
+    <tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 for 32-bit
+    system, or having two lines for both b32 and b64 in case your system is 64-bit:
     <pre>-a always,exit -F arch=ARCH -S rename -F auid&gt;={{{ auid }}} -F auid!=unset -F key=delete</pre>
 
 rationale: |-
@@ -70,6 +70,7 @@ template:
           - unlinkat
           - rename
           - renameat
+          - renameat2
           - rmdir
 
 fixtext: |-

diff --git a/...igure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/...igure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
@@ -7,13 +7,13 @@ description: |-
     for all users and root. If the <tt>auditd</tt> daemon is configured to use the
     <tt>augenrules</tt> program to read audit rules during daemon startup (the
     default), add the following line to a file with suffix <tt>.rules</tt> in the
-    directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-    appropriate for your system:
+    directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 for 32-bit
+    system, or having two lines for both b32 and b64 in case your system is 64-bit:
     <pre>-a always,exit -F arch=ARCH -S renameat -F auid&gt;={{{ auid }}} -F auid!=unset -F key=delete</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following line to
-    <tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-    appropriate for your system:
+    <tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 for 32-bit
+    system, or having two lines for both b32 and b64 in case your system is 64-bit:
     <pre>-a always,exit -F arch=ARCH -S renameat -F auid&gt;={{{ auid }}} -F auid!=unset -F key=delete</pre>
 
 rationale: |-
@@ -67,6 +67,7 @@ template:
           - unlinkat
           - rename
           - renameat
+          - renameat2
           - rmdir
 fixtext: |-
     {{{ fixtext_audit_rules_file_deletion_events("renameat") | indent(4) }}}

diff --git a/...it_file_deletion_events/audit_rules_file_deletion_events_renameat2/policy/stig/shared.yml b/...it_file_deletion_events/audit_rules_file_deletion_events_renameat2/policy/stig/shared.yml
@@ -0,0 +1,25 @@
+srg_requirement: |-
+     Successful/unsuccessful uses of the renameat2 system call in {{{ full_name }}} must generate an audit record.
+
+vuldiscussion: |-
+    Auditing file deletions will create an audit trail for files that are removed
+    from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+    malicious processes that attempt to delete log files to conceal their presence.
+
+checktext: |-
+    To determine if the system is configured to audit calls to the
+     renameat2 system call, run the following command:
+     $ sudo grep "renameat2" /etc/audit/audit.*
+    If the system is configured to audit this activity, it will return a line.
+
+
+    If no line is returned, then this is a finding.
+
+fixtext: |-
+    Configure the audit system to generate an audit event for any successful/unsuccessful use of the "renameat2" system call by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file:
+    -a always,exit -F arch=b32 -S renameat2 -F auid>={{{ uid_min }}} -F auid!=unset -k delete
+    -a always,exit -F arch=b64 -S renameat2 -F auid>={{{ uid_min }}} -F auid!=unset -k delete
+
+    It's allowed to group this system call within the same line as "rename", "unlink", "rmdir", "renameat2", and "unlinkat".
+
+    The audit daemon must be restarted for the changes to take effect.