Account Deleted
Enabled by default
Service: syslog
Log type: auth.log
An attacker may attempt to tidy up after themselves by deleting an account or simply disrupt normal workflow by deleting legitimate accounts.
View Logs
grep "delete user" /var/log/auth.log
Check Logging Status
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Disable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Enable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Language: bash
Back to Linux UbuntuCompliance
HIPAA
Level: Recommended
PCI DSS
Level: Required
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1631643252599
NSA Event Forwarding
Level: Recommended
https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events
In order to view this event from the Logs application, select the Security tab and search for userdel.
In order to find the log of a user account creation, enter the command grep "delete user" /var/log/auth.log.
Additional References
View this article on GitHub