← Rules Catalog
mediumauditunverified

Audit use of the mount syscall

audit-mount-syscall · RHEL ≥ 8 · 1 impl

Description

The audit system must record use of the mount syscall by interactive users on both the 32-bit and 64-bit ABIs, so filesystem mount operations are attributable.

Rationale

Mounting a filesystem can introduce untrusted content or shadow a directory to hide files. Auditing the mount syscall on both ABIs preserves a record of who performed it.

Check → Remediate

Checkcommand
loaded=$(auditctl -l 2>/dev/null)
miss=""
echo "$loaded" | grep -Eq 'arch=b32.*-S mount([[:space:],]|$)' || miss="$miss b32"
echo "$loaded" | grep -Eq 'arch=b64.*-S mount([[:space:],]|$)' || miss="$miss b64"
if [ -n "$miss" ]; then
  echo "FAIL: missing mount-syscall audit rule(s):$miss"
  exit 1
fi
echo "OK: mount syscall is audited on both ABIs"
exit 0
expected_exit:
0
Remediatemanual
note:
Add to a file under /etc/audit/rules.d/ then 'augenrules --load' (reboot if auditd is immutable): -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount

Framework references

STIG

V-281147 / RHEL-10-500610V-230425 / RHEL-08-030302

NIST 800-53

AU-12
#audit#mount#syscall#stig