Detections
Analytics
RHEL-10-500670 - RHEL 10 must generate audit records for successful and unsuccessful uses of the "umount2" system call.
Information
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing discretionary access control (DAC) modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Solution
Configure RHEL 10 to generate audit records upon successful and unsuccessful uses of the "umount2" system call by adding or updating the following rules in a file in "/etc/audit/rules.d":-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -k privileged-umount
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -k privileged-umount
Restart the audit daemon with the following command for the changes to take effect:
$ sudo service auditd restart
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_10_V1R1_STIG.zip
Item Details
Audit Name: DISA Red Hat Enterprise Linux 10 STIG v1r1
Category: AUDIT AND ACCOUNTABILITY, MAINTENANCE
References: 800-53|AU-3, 800-53|AU-12a., 800-53|AU-12c., 800-53|MA-4(1)(a), CAT|II, CCI|CCI-000130, CCI|CCI-000169, CCI|CCI-000172, CCI|CCI-002884, Rule-ID|SV-281153r1166411_rule, STIG-ID|RHEL-10-500670, Vuln-ID|V-281153
Plugin: Unix
Control ID: f7a2f26d04de932297b16ba3d6bd28d7de45c93c16d204119cfa38192eafb7b0