← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the umount system call

audit-umount · RHEL ≥ 8 · 1 impl

Description

Successful and unsuccessful uses of the umount system call must generate an audit record to detect unauthorized filesystem unmounting.

Rationale

Auditing umount syscalls detects attempts to remove filesystems that may be part of an attack, such as unmounting security monitoring partitions or audit log partitions.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F arch=b32 -S umount
Remediateaudit_rule_set
rule:
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount
persist_file:
/etc/audit/rules.d/50-mounts.rules

Framework references

STIG

V-281152 / RHEL-10-500660V-258215 / RHEL-09-654205

NIST 800-53

AU-2AU-12CM-6

Live verification

rhel9:check
#audit#auditd#syscall#mount