← Rules Catalog
mediumfilesystemverified rollback-safe

Set mount options on /var/log/audit

mount-var-log-audit-options · RHEL ≥ 8 · 1 impl

Description

The /var/log/audit partition should have nodev, nosuid, and noexec mount options set to prevent device files, setuid binaries, and executable files in the audit log directory.

Rationale

Restrictive mount options on /var/log/audit prevent execution of malicious code that might be placed in log files and limit potential privilege escalation vectors.

Check → Remediate

Checkcomposed · 3 sub-checks (all must pass)
1. mount_option:
mount_point=/var/log/audit options=nodev
2. mount_option:
mount_point=/var/log/audit options=nosuid
3. mount_option:
mount_point=/var/log/audit options=noexec
Remediatemount_option_set
mount_point:
/var/log/audit
options:
nodev, nosuid, noexec

Framework references

CIS

rhel9 1.1.2.7.2rhel9 1.1.2.7.3rhel9 1.1.2.7.4rhel10 1.1.2.7.2rhel10 1.1.2.7.3rhel10 1.1.2.7.4rhel8 1.1.2.7.2rhel8 1.1.2.7.3rhel8 1.1.2.7.4

STIG

V-230517 / RHEL-08-040129V-230518 / RHEL-08-040130V-230519 / RHEL-08-040131V-257873 / RHEL-09-231160V-257874 / RHEL-09-231165V-257875 / RHEL-09-231170V-281091 / RHEL-10-400400V-281092 / RHEL-10-400405V-281093 / RHEL-10-400410

NIST 800-53

AC-6CM-6

Live verification

rhel10:checkrhel8:checkrhel9:check
#mount#audit#logging#security