RHEL-06-000199 - The audit system must be configured to audit successful file system mounts - auid=0 64 bit

Information

The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.

Solution

At a minimum, the audit system should collect media exportation events for all users and root. Add the following to '/etc/audit/audit.rules':

-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a always,exit -F arch=b32 -S mount -F auid=0 -k export

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a always,exit -F arch=b64 -S mount -F auid=0 -k export

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_6_V2R2_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CAT|III, CCI|CCI-000172, Rule-ID|SV-217977r603264_rule, STIG-ID|RHEL-06-000199, STIG-Legacy|SV-50369, STIG-Legacy|V-38568, Vuln-ID|V-217977

Plugin: Unix

Control ID: 585467bd38df92c1eb09f2548528487daaf62a686f21b3edd02e251faf8d7d36