Detections
Analytics
SLEM-05-654185 - SLEM 5 must generate audit records for all uses of the "umount" system call.
Information
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
Solution
Configure SLEM 5 to generate an audit record for all uses of the "umount" and "umount2" system calls.Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -k privileged-umount
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -k privileged-umount
To reload the rules file, restart the audit daemon:
> sudo systemctl restart auditd.service
or issue the following command:
> sudo augenrules --load
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SLEM_5_V1R4_STIG.zip
Item Details
Category: AUDIT AND ACCOUNTABILITY, MAINTENANCE
References: 800-53|AU-3, 800-53|AU-12a., 800-53|AU-12c., 800-53|MA-4(1)(a), CAT|II, CCI|CCI-000130, CCI|CCI-000169, CCI|CCI-000172, CCI|CCI-002884, Rule-ID|SV-261460r996787_rule, STIG-ID|SLEM-05-654185, Vuln-ID|V-261460
Plugin: Unix
Control ID: f0d46ebf624c2f3dba5489984dcf7d8ef5a7f8eeb52a5795f812bad3014340ab