mediumauditverified ✓rollback-safe
Audit uses of the umount2 system call
audit-umount2 · RHEL ≥ 8 · 1 impl
Description
Successful and unsuccessful uses of the umount2 system call must generate an audit record to detect unauthorized filesystem unmounting.
Rationale
The umount2 syscall is a variant of umount used for forceful or lazy unmounting. Auditing it ensures comprehensive coverage of unmount operations that could indicate an attacker removing security controls or log partitions.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F arch=b64 -S umount2
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -k privileged-umount
- persist_file:
- /etc/audit/rules.d/50-mounts.rules
Framework references
STIG
V-281153 / RHEL-10-500670V-258216 / RHEL-09-654210
NIST 800-53
AU-2AU-12CM-6
Live verification
rhel9:check
#audit#auditd#syscall#mount