← Rules Catalog
mediumauditverified rollback-safe

Audit mount and unmount operations

audit-mount-operations · RHEL ≥ 8 · 1 impl

Description

The system must audit all mount and unmount operations to track filesystem changes.

Rationale

Unauthorized mounts could be used to access data or bypass security controls. Auditing mount operations provides visibility into filesystem changes and potential attack attempts.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts
Remediateaudit_rule_set
rule:
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts
persist_file:
/etc/audit/rules.d/50-mounts.rules

Framework references

CIS

rhel9 6.3.3.10rhel10 6.3.3.21rhel8 6.3.3.10

STIG

V-230423

NIST 800-53

AU-2AU-12

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#mount#filesystem#stig