Detections
Analytics
OL09-00-000840 - OL 9 must be configured so that successful/unsuccessful uses of the umount system call generate an audit record.
Information
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Solution
Configure the audit system to generate an audit event for any successful/unsuccessful use of the umount system call by adding or updating the following rules in "/etc/audit/audit.rules" and adding the following rules to "/etc/audit/rules.d/perm_mod.rules" or updating the existing rules in files in the "/etc/audit/rules.d/" directory:-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -k perm_mod
The audit daemon must be restarted for the changes to take effect.
Restart auditd:
$ sudo service auditd restart
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_9_V1R4_STIG.zip
Item Details
Audit Name: DISA Oracle Linux 9 STIG v1r4
Category: AUDIT AND ACCOUNTABILITY, MAINTENANCE
References: 800-53|AU-3, 800-53|AU-12a., 800-53|AU-12c., 800-53|MA-4(1)(a), CAT|II, CCI|CCI-000130, CCI|CCI-000169, CCI|CCI-000172, CCI|CCI-002884, Rule-ID|SV-271594r1155314_rule, STIG-ID|OL09-00-000840, Vuln-ID|V-271594
Plugin: Unix
Control ID: fa01e9afe7ade474956d96754b58220d6be1d32de42193741a1f9d63baf0d563