mediumauditunverified
Audit privileged use of the umount command
audit-umount-privileged · RHEL ≥ 8 · 1 impl
Description
The audit system must record execution of the /usr/bin/umount command by interactive users, so unmount operations are attributable.
Rationale
Unmounting a filesystem can be used to evade file integrity controls or hide activity. Auditing execution of the umount binary preserves a record of who performed it.
Check → Remediate
Checkcommand
if auditctl -l 2>/dev/null | grep -Eq -- 'path=/usr/bin/umount.*perm=x'; then echo "OK: privileged use of /usr/bin/umount is audited" exit 0 fi echo "FAIL: no audit rule for '-F path=/usr/bin/umount -F perm=x'" exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Add to a file under /etc/audit/rules.d/ then 'augenrules --load' (reboot if auditd is immutable): -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount
Framework references
STIG
V-281118 / RHEL-10-500320V-258180 / RHEL-09-654030V-230424 / RHEL-08-030301
NIST 800-53
AU-12
#audit#umount#privileged#mount#stig