UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The audit system must be configured to audit successful file system mounts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-208907 OL6-00-000199 SV-208907r603263_rule Low
Description
The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.
STIG Date
Oracle Linux 6 Security Technical Implementation Guide 2021-06-14

Details

Check Text ( C-9160r357701_chk )
To verify that auditing is configured for all media exportation events, run the following command:

$ sudo grep -w "mount" /etc/audit/audit.rules

-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a always,exit -F arch=b32 -S mount -F auid=0 -k export
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a always,exit -F arch=b64 -S mount -F auid=0 -k export

If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding.

If no line is returned, this is a finding.
Fix Text (F-9160r357702_fix)
At a minimum, the audit system should collect media exportation events for all users and root. Add the following to "/etc/audit/audit.rules:

-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a always,exit -F arch=b32 -S mount -F auid=0 -k export

If the system is 64-bit, then also add the following:

-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a always,exit -F arch=b64 -S mount -F auid=0 -k export