OL07-00-030740 - The Oracle Linux operating system must audit all uses of the mount command and syscall - /etc/audit/audit.rules.

Information

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.

At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and 'unset' in the same way.

Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172

Solution

Configure the operating system to generate audit records when successful/unsuccessful attempts to use the 'mount' command and syscall occur.

Add or update the following rules in '/etc/audit/rules.d/audit.rules':

-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount

The audit daemon must be restarted for the changes to take effect.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_7_V2R14_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY, MAINTENANCE

References: 800-53|AU-3(1), 800-53|MA-4(1)(a), CAT|II, CCI|CCI-000135, CCI|CCI-002884, Rule-ID|SV-221813r860882_rule, STIG-ID|OL07-00-030740, STIG-Legacy|SV-108469, STIG-Legacy|V-99365, Vuln-ID|V-221813

Plugin: Unix

Control ID: a4a6fba70ea0b7e7505c295dee6c2ef8e0bf4903c3d524c9ae0f117bfeb38031