The audit system must be configured to audit successful file system mounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-208907 | OL6-00-000199 | SV-208907r793693_rule | Low |
| Description |
|---|
| The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. |
| STIG | Date |
|---|---|
| Oracle Linux 6 Security Technical Implementation Guide | 2021-12-03 |
Details
| Check Text ( C-9160r357701_chk ) |
|---|
| To verify that auditing is configured for all media exportation events, run the following command: $ sudo grep -w "mount" /etc/audit/audit.rules -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b32 -S mount -F auid=0 -k export -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b64 -S mount -F auid=0 -k export If the system is 64-bit and does not return rules for both "b32" and "b64" architectures, this is a finding. If no line is returned, this is a finding. |
| Fix Text (F-9160r357702_fix) |
|---|
| At a minimum, the audit system should collect media exportation events for all users and root. Add the following to "/etc/audit/audit.rules: -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b32 -S mount -F auid=0 -k export If the system is 64-bit, then also add the following: -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b64 -S mount -F auid=0 -k export |