4.1.14 Ensure successful file system mounts are collected - b64

Information

Monitor the use of the mount system call. The mount (and umount ) system call controls the
mounting and unmounting of file systems. The parameters below configure the system to
create an audit record when the mount system call is used by a non-privileged user

Rationale:

It is highly unusual for a non privileged user to mount file systems to the system. While
tracking mount commands gives the system administrator evidence that external media
may have been mounted (based on a review of the source of the mount and confirming it's
an external media type), it does not conclusively indicate that data was exported to the
media. System administrators who wish to determine if data were exported, would also
have to track successful open , creat and truncate system calls requiring write access to a
file under the mount point of the external media file system. This could give a fair
indication that a write occurred. The only way to truly prove it, would be to track
successful writes to the external media. Tracking write system calls could quickly fill up the
audit log and is not recommended. Recommendations on configuration options to track
data export to media is beyond the scope of this document.

Solution

For 32 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in
.rules
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:

-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k
mounts

For 64 bit systems Edit or create a file in the /etc/audit/rules.d/ directory ending in
.rules
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:

-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k
mounts
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k
mounts

Notes:

This tracks successful and unsuccessful mount commands. File system mounts do not have
to come from external media and this action still does not verify write (e.g. CD ROMS).

Reloading the auditd config to set active settings may require a system reboot.

See Also

https://workbench.cisecurity.org/files/2420