Detections
Analytics
6.3.3.21 Ensure successful file system mounts are collected
Information
Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged userIt is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document.
Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Solution
Note:- The -w option is deprecated and the rule should be updated in accordance with the Remediation Procedure.
- For best performance, the arch field should be supplied in the rule. The individual permissions will cause the selection of specific system calls that use that kind of access. Not supplying the arch will cause the selection of all system calls which will affect performance as all system calls will be evaluated.
1.Edit or create a file in the /etc/audit/rules.d/ directory, ending inrules extension, with the relevant rules to monitor successful file system mounts.
Example:
# printf "
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts
" >> /etc/audit/rules.d/50-mounts.rules
Note : The auid>= value should be set to the same value as UID_MIN value in /etc/login.defs
<xhtml:ol start="2"> - Merge and load the rules into active configuration:
# augenrules --load <xhtml:ol start="3"> - Check if reboot is required:
# if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
See Also
Item Details
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-7, 800-53|AU-12, CSCv7|6.3
Plugin: Unix
Control ID: 03f1432740e566d20b2ab7e38c1039b7b52c874608abbf193fcead55cda91dc5