SLEM 5 must generate audit records for all uses of the "umount" system call.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-261460	SLEM-05-654185	SV-261460r996787_rule		Medium

Description
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

STIG	Date
SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide	2024-06-04

Details

Check Text ( C-65189r996785_chk )
Verify SLEM 5 generates an audit record for all uses of the "umount" and "umount2" system calls with the following command: > sudo auditctl -l \| grep 'umount' -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=-1 -F key=privileged-umount -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=-1 -F key=privileged-umount -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=-1 -F key=privileged-umount If both the "b32" and "b64" audit rules are not defined for the "umount" syscall, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Check Text ( C-65189r996785_chk )

Verify SLEM 5 generates an audit record for all uses of the "umount" and "umount2" system calls with the following command:

> sudo auditctl -l | grep 'umount'
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=-1 -F key=privileged-umount
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=-1 -F key=privileged-umount
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=-1 -F key=privileged-umount

If both the "b32" and "b64" audit rules are not defined for the "umount" syscall, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Fix Text (F-65097r996786_fix)
Configure SLEM 5 to generate an audit record for all uses of the "umount" and "umount2" system calls. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -k privileged-umount -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -k privileged-umount To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

Fix Text (F-65097r996786_fix)

Configure SLEM 5 to generate an audit record for all uses of the "umount" and "umount2" system calls.

Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -k privileged-umount
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -k privileged-umount

To reload the rules file, restart the audit daemon:

> sudo systemctl restart auditd.service

or issue the following command:

> sudo augenrules --load