Account Deleted

Linux Ubuntu

Flynn Weeks

Flynn Weeks

February 4, 2022

Enabled by default

Service: syslog

Log type: auth.log

An attacker may attempt to tidy up after themselves by deleting an account or simply disrupt normal workflow by deleting legitimate accounts.

Compliance

HIPAA

Level: Recommended

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf?language=es

PCI DSS

Level: Required

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1631643252599

NSA Event Forwarding

Level: Recommended

https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events

In order to view this event from the Logs application, select the Security tab and search for userdel.

In order to find the log of a user account creation, enter the command grep "delete user" /var/log/auth.log.

View Logs
grep "delete user" /var/log/auth.log
Check Logging Status
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Disable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Enable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Language: bash
View Log Pile