Differences

This shows you the differences between two versions of the page.

Link to this comparison view

centos7:4:1:13 [2017/05/04 16:13] (current)
Piotr Kłoczewski created
Line 1: Line 1:
 +====== 4.1.13 Ensure successful file system mounts are collected (Scored) ====== 
 +=====Profile Applicability===== ​  
 +<​code>​ 
 +Level 2 - Server  
 +Level 2 - Workstation 
 +</​code>​ 
 +=====Description===== 
 +Monitor the use of the ''​mount''​ system call. The ''​mount''​ (and ''​umount''​) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user 
 +=====Rationale===== 
 +It is highly unusual for a non privileged user to ''​mount''​ file systems to the system. While tracking ''​mount''​ commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful ''​open'',​ ''​create''​ and ''​truncate''​ system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. 
 +=====Audit=====  
 +On a 32 bit system run the following command and verify the output matches: 
 +<​Code:​bash>​ 
 +# grep mounts /​etc/​audit/​audit.rules  
 +-a always,exit -F arch=b32 -S mount -F auid>​=1000 -F auid!=4294967295 -k mounts 
 +</​Code>​ 
 +On a 64 bit system run the following command and verify the output matches: 
 +<​Code:​bash>​ 
 +# grep mounts /​etc/​audit/​audit.rules  
 +-a always,exit -F arch=b64 -S mount -F auid>​=1000 -F auid!=4294967295 -k mounts  
 +-a always,exit -F arch=b32 -S mount -F auid>​=1000 -F auid!=4294967295 -k mounts 
 +</​Code>​ 
 +=====Remediation=====  
 +For 32 bit systems add the following lines to the ''/​etc/​audit/​audit.rules''​ file: 
 +<​Code:​bash>​ 
 +-a always,exit -F arch=b32 -S mount -F auid>​=1000 -F auid!=4294967295 -k mounts 
 +</​Code>​ 
 +For 64 bit systems add the following lines to the ''/​etc/​audit/​audit.rules''​ file: 
 +<​Code:​bash>​ 
 +-a always,exit -F arch=b64 -S mount -F auid>​=1000 -F auid!=4294967295 -k mounts  
 +-a always,exit -F arch=b32 -S mount -F auid>​=1000 -F auid!=4294967295 -k mounts 
 +</​Code>​ 
 +=====Notes=====  
 +This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS).