Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-38568 | RHEL-06-000199 | SV-50369r3_rule | Low |
Description |
---|
The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. |
STIG | Date |
---|---|
Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2016-06-05 |
Check Text ( C-46126r2_chk ) |
---|
To verify that auditing is configured for all media exportation events, run the following command: $ sudo grep -w "mount" /etc/audit/audit.rules If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding. |
Fix Text (F-43516r2_fix) |
---|
At a minimum, the audit system should collect media exportation events for all users and root. Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system: -a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=ARCH -S mount -F auid=0 -k export |