diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c
index 10fefca4c3..8244dda803 100644
--- a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c
+++ b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.c
@@ -59,8 +59,8 @@ char LICENSE[] SEC("license") = "Dual BSD/GPL";
 #endif
 
 // toggle this for additional debug output
-#define trace_hook(...)
-// #define trace_hook(...) bpf_printk(__VA_ARGS__)
+// #define trace_hook(...)
+#define trace_hook(...) bpf_printk(__VA_ARGS__)
 
 // Keep track of all mount namespaces that should be (temporarily) excluded from
 // recording. When running in Kubernetes, we generally ignore the host mntns.
@@ -506,6 +506,27 @@ int sys_enter_prctl(struct trace_event_raw_sys_enter * ctx)
     return 0;
 }
 
+SEC("tracepoint/syscalls/sys_enter_unlink")
+int sys_enter_unlink(struct trace_event_raw_sys_enter * ctx)
+{
+    u32 mntns = get_mntns();
+    if (!mntns)
+        return 0;
+    trace_hook("sys_enter_unlink %s", ctx->args[0]);
+    return 0;
+}
+
+
+SEC("tracepoint/syscalls/sys_enter_unlinkat")
+int sys_enter_unlinkat(struct trace_event_raw_sys_enter * ctx)
+{
+    u32 mntns = get_mntns();
+    if (!mntns)
+        return 0;
+    trace_hook("sys_enter_unlinkat %s", ctx->args[1]);
+    return 0;
+}
+
 SEC("tracepoint/sched/sched_process_exec")
 int sched_process_exec(struct trace_event_raw_sched_process_exec * ctx)
 {
diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.amd64 b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.amd64
index 0d7796bf30..0de250f716 100644
Binary files a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.amd64 and b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.amd64 differ
diff --git a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.arm64 b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.arm64
index 32bae870ab..0bccb2f991 100644
Binary files a/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.arm64 and b/internal/pkg/daemon/bpfrecorder/bpf/recorder.bpf.o.arm64 differ
diff --git a/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go b/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go
index b4fae269ad..a6f5bff1ce 100644
--- a/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go
+++ b/internal/pkg/daemon/bpfrecorder/bpfrecorder_apparmor.go
@@ -51,6 +51,8 @@ var appArmorHooks = []string{
 	"path_mknod",
 	"path_unlink",
 	"bprm_check_security",
+	"sys_enter_unlink",
+	"sys_enter_unlinkat",
 	"sys_enter_socket",
 	"cap_capable",
 }