mediumauditverified ✓rollback-safe
Audit uses of the umount system call
audit-umount · RHEL ≥ 8 · 1 impl
Description
Successful and unsuccessful uses of the umount system call must generate an audit record to detect unauthorized filesystem unmounting.
Rationale
Auditing umount syscalls detects attempts to remove filesystems that may be part of an attack, such as unmounting security monitoring partitions or audit log partitions.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F arch=b32 -S umount
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount
- persist_file:
- /etc/audit/rules.d/50-mounts.rules
Framework references
STIG
V-281152 / RHEL-10-500660V-258215 / RHEL-09-654205
NIST 800-53
AU-2AU-12CM-6
Live verification
rhel9:check
#audit#auditd#syscall#mount