diff --git a/benchmarks/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.md b/benchmarks/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.md
index 81a1ac2740edbed34b246c76f87e2dbf96502943..eebaed71c631233427ce69fe71eabb37d366ecfa 100644
--- a/benchmarks/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.md
+++ b/benchmarks/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.md
@@ -6,7 +6,25 @@
 
 ## 描述
 
-对删除文件的操作进行审计记录
+对删除文件的操作进行审计记录。
+因ARM架构的部分规则与X86不一致，需在操作前使用`arch`或`uname -m`命令，对硬件架构进行判断，并使用相应的规则进行加固修复，否则会导致审计规则报错，无法生效：
+- X86架构：
+```bash
+# arch
+x86_64
+
+# uname -m
+x86_64
+```
+
+- ARM架构：
+```bash
+# arch
+aarch64
+
+# uname -m
+aarch64
+```
 
 ## 修复建议
 
@@ -14,17 +32,25 @@
 
 运行以下命令，配置审计服务，确保收集用户的文件删除事件：
 
+- X86架构：
 ```bash
 # echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules
 # echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/audit.rules
 ```
 
+- ARM架构：
+```bash
+# echo -e "\n-a always,exit -F arch=b64 -S unlinkat -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules
+# echo -e "\n-a always,exit -F arch=b64 -S unlinkat -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/audit.rules
+```
+
 ## 扫描检测
 
 确保收集用户的文件删除事件。
 
 执行以下命令，检查文件删除审计收集是否正确配置：
 
+- X86架构：
 ```bash
 # grep -P "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules
 -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
@@ -35,5 +61,16 @@
 -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
 ```
 
+- ARM架构：
+```bash
+# grep -P "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink.*-k\sdelete" /etc/audit/rules.d/audit.rules
+-a always,exit -F arch=b64 -S unlinkat -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
+-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
+
+# grep -P "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink.*-k\sdelete" /etc/audit/audit.rules
+-a always,exit -F arch=b64 -S unlinkat -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
+-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
+```
+
 如输出结果符合预期，则视为通过此项检查。
 ## 参考
diff --git a/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh b/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh
index bc3ef487e645cfc342258d20417a79e168d4a57f..ef817a2bc05fabe260078a1f3cdec38d0da163cc 100644
--- a/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh
+++ b/remediation-kits/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh
@@ -1,2 +1,7 @@
-grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules || echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules
-grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/audit.rules || echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/audit.rules
\ No newline at end of file
+if [[ `arch` == 'aarch64' ]] && [[ `uname -m` == 'aarch64' ]] ; then
+    grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink.*-k\sdelete" /etc/audit/rules.d/audit.rules || echo -e "\n-a always,exit -F arch=b64 -S unlinkat -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules
+    grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink.*-k\sdelete" /etc/audit/audit.rules || echo -e "\n-a always,exit -F arch=b64 -S unlinkat -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/audit.rules
+else
+    grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink.*-k\sdelete" /etc/audit/rules.d/audit.rules || echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/rules.d/audit.rules
+    grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink.*-k\sdelete" /etc/audit/audit.rules || echo -e "\n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n" >> /etc/audit/audit.rules
+fi
\ No newline at end of file
diff --git a/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh b/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh
index c7ffd87f053a39ff6964f2d0d2038cdef2b3506c..3289838eb36626bc8b0d260b5b08ff3d66a4cbeb 100644
--- a/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh
+++ b/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh
@@ -1,6 +1,10 @@
 result=false
 
-grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b(32|64)\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/audit.rules && result=true
+if [[ `arch` == 'aarch64' ]] && [[ `uname -m` == 'aarch64' ]] ; then
+grep -Pq "\-a\salways\,exit\s\-F\sarch=b64\s\-S\sunlinkat\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b32\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b64\s\-S\sunlinkat\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b32\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/audit.rules && result=true
+else
+grep -Pq "\-a\salways\,exit\s\-F\sarch=b64\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b32\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b64\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b32\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/audit.rules && result=true
+fi
 
 if [ "$result" = true ]; then
     echo "pass"