{"description": "At a minimum, the audit system should collect file system umount2\nchanges. If the <tt>auditd</tt> daemon is configured\nto use the <tt>augenrules</tt> program to read audit rules during daemon\nstartup (the default), add the following line to a file with suffix\n<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:\n<pre>-a always,exit -F arch=b32 -S umount2 -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>\nIf the system is 64 bit then also add the following line:\n<pre>-a always,exit -F arch=b64 -S umount2 -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following line to\n<tt>/etc/audit/audit.rules</tt> file:\n<pre>-a always,exit -F arch=b32 -S umount2 -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>\nIf the system is 64 bit then also add the following line:\n<pre>-a always,exit -F arch=b64 -S umount2 -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>", "rationale": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.", "severity": "medium", "references": {"srg": ["SRG-OS-000037-GPOS-00015", "SRG-OS-000062-GPOS-00031", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215", "SRG-APP-000495-CTR-001235"], "anssi": ["R73"]}, "control_references": {"anssi": ["R73"]}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit calls to the\n<code>umount2</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"umount2\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\n", "oval_external_content": null, "fixtext": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"umount2\" system call by adding or updating the following rules in \"/etc/audit/audit.rules\" and adding the following rules to \"/etc/audit/rules.d/perm_mod.rules\" or updating the existing rules in files in the \"/etc/audit/rules.d/\" directory:\n\n\n-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -k perm_mod\n-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -k perm_mod\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Successful/unsuccessful uses of the umount2 system call in Ubuntu 22.04 must generate an audit record.", "warnings": [{"general": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Successful/unsuccessful uses of the umount2 system call in Ubuntu 22.04 must generate an audit record.", "vuldiscussion": "The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.", "checktext": "To determine if the system is configured to audit calls to the umount2 system call, run the following command:\n\n$ sudo auditctl -l | grep umount2\n\n-a always,exit -F arch=b64 -S umount2 -F auid&gt;=1000 -F auid!=-1 -F key=privileged-umount\n-a always,exit -F arch=b32 -S umount2 -F auid&gt;=1000 -F auid!=-1 -F key=privileged-umount\n\nIf no line is returned, this is a finding.", "fixtext": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"umount2\" system call by adding or updating the following rules in a file in \"/etc/audit/rules.d\".\n\n-a always,exit -F arch=b32 -S umount2 -F auid&gt;=1000 -F auid!=unset -k privileged-umount\n-a always,exit -F arch=b64 -S umount2 -F auid&gt;=1000 -F auid!=unset -k privileged-umount\n\nThe audit daemon must be restarted for the changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Record Events that Modify the System's Discretionary Access Controls - umount2", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml", "template": {"name": "audit_rules_dac_modification", "vars": {"attr": "umount2"}, "backends": {}}}