← Rules Catalog
mediumauditunverified

Audit privileged use of the umount command

audit-umount-privileged · RHEL ≥ 8 · 1 impl

Description

The audit system must record execution of the /usr/bin/umount command by interactive users, so unmount operations are attributable.

Rationale

Unmounting a filesystem can be used to evade file integrity controls or hide activity. Auditing execution of the umount binary preserves a record of who performed it.

Check → Remediate

Checkcommand
if auditctl -l 2>/dev/null | grep -Eq -- 'path=/usr/bin/umount.*perm=x'; then
  echo "OK: privileged use of /usr/bin/umount is audited"
  exit 0
fi
echo "FAIL: no audit rule for '-F path=/usr/bin/umount -F perm=x'"
exit 1
expected_exit:
0
Remediatemanual
note:
Add to a file under /etc/audit/rules.d/ then 'augenrules --load' (reboot if auditd is immutable): -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount

Framework references

STIG

V-281118 / RHEL-10-500320V-258180 / RHEL-09-654030V-230424 / RHEL-08-030301

NIST 800-53

AU-12
#audit#umount#privileged#mount#stig