mediumauditverified ✓rollback-safe
Audit mount and unmount operations
audit-mount-operations · RHEL ≥ 8 · 1 impl
Description
The system must audit all mount and unmount operations to track filesystem changes.
Rationale
Unauthorized mounts could be used to access data or bypass security controls. Auditing mount operations provides visibility into filesystem changes and potential attack attempts.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts
- persist_file:
- /etc/audit/rules.d/50-mounts.rules
Framework references
CIS
rhel9 6.3.3.10rhel10 6.3.3.21rhel8 6.3.3.10
STIG
V-230423
NIST 800-53
AU-2AU-12
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#mount#filesystem#stig