mediumauditunverified
Audit use of the mount syscall
audit-mount-syscall · RHEL ≥ 8 · 1 impl
Description
The audit system must record use of the mount syscall by interactive users on both the 32-bit and 64-bit ABIs, so filesystem mount operations are attributable.
Rationale
Mounting a filesystem can introduce untrusted content or shadow a directory to hide files. Auditing the mount syscall on both ABIs preserves a record of who performed it.
Check → Remediate
Checkcommand
loaded=$(auditctl -l 2>/dev/null) miss="" echo "$loaded" | grep -Eq 'arch=b32.*-S mount([[:space:],]|$)' || miss="$miss b32" echo "$loaded" | grep -Eq 'arch=b64.*-S mount([[:space:],]|$)' || miss="$miss b64" if [ -n "$miss" ]; then echo "FAIL: missing mount-syscall audit rule(s):$miss" exit 1 fi echo "OK: mount syscall is audited on both ABIs" exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Add to a file under /etc/audit/rules.d/ then 'augenrules --load' (reboot if auditd is immutable): -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount
Framework references
STIG
V-281147 / RHEL-10-500610V-230425 / RHEL-08-030302
NIST 800-53
AU-12
#audit#mount#syscall#stig