mediumfilesystemverified ✓rollback-safe
Set mount options on /var/log/audit
mount-var-log-audit-options · RHEL ≥ 8 · 1 impl
Description
The /var/log/audit partition should have nodev, nosuid, and noexec mount options set to prevent device files, setuid binaries, and executable files in the audit log directory.
Rationale
Restrictive mount options on /var/log/audit prevent execution of malicious code that might be placed in log files and limit potential privilege escalation vectors.
Check → Remediate
Checkcomposed · 3 sub-checks (all must pass)
- 1. mount_option:
- mount_point=/var/log/audit options=nodev
- 2. mount_option:
- mount_point=/var/log/audit options=nosuid
- 3. mount_option:
- mount_point=/var/log/audit options=noexec
Remediatemount_option_set
- mount_point:
- /var/log/audit
- options:
- nodev, nosuid, noexec
Framework references
CIS
rhel9 1.1.2.7.2rhel9 1.1.2.7.3rhel9 1.1.2.7.4rhel10 1.1.2.7.2rhel10 1.1.2.7.3rhel10 1.1.2.7.4rhel8 1.1.2.7.2rhel8 1.1.2.7.3rhel8 1.1.2.7.4
STIG
V-230517 / RHEL-08-040129V-230518 / RHEL-08-040130V-230519 / RHEL-08-040131V-257873 / RHEL-09-231160V-257874 / RHEL-09-231165V-257875 / RHEL-09-231170V-281091 / RHEL-10-400400V-281092 / RHEL-10-400405V-281093 / RHEL-10-400410
NIST 800-53
AC-6CM-6
Live verification
rhel10:checkrhel8:checkrhel9:check
#mount#audit#logging#security