{"description": "At a minimum, the audit system should collect file system umount\nchanges. If the <tt>auditd</tt> daemon is configured\nto use the <tt>augenrules</tt> program to read audit rules during daemon\nstartup (the default), add the following line to a file with suffix\n<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>:\n<pre>-a always,exit -F arch=b32 -S umount -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following line to\n<tt>/etc/audit/audit.rules</tt> file:\n<pre>-a always,exit -F arch=b32 -S umount -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>", "rationale": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.", "severity": "medium", "references": {"srg": ["SRG-OS-000037-GPOS-00015", "SRG-OS-000062-GPOS-00031", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215", "SRG-APP-000495-CTR-001235"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the command does not return a line, or the line is commented out", "ocil": "Verify that Ubuntu 22.04 generates an audit record for all uses of the \"umount\" and system call.\nTo determine if the system is configured to audit calls to the\n\"umount\" system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"umount\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line like the following.\n-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount", "oval_external_content": null, "fixtext": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"umount\" system call by adding or updating the following rules in \"/etc/audit/audit.rules\" and adding the following rules to \"/etc/audit/rules.d/perm_mod.rules\" or updating the existing rules in files in the \"/etc/audit/rules.d/\" directory:\n\n-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -k perm_mod\nThe audit daemon must be restarted for the changes to take effect. ", "checktext": "", "vuldiscussion": "", "srg_requirement": "Successful/unsuccessful uses of the umount system call in Ubuntu 22.04 must generate an audit record.", "warnings": [{"general": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Successful/unsuccessful uses of the umount system call in Ubuntu 22.04 must generate an audit record.", "vuldiscussion": "The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.", "checktext": "Verify that Ubuntu 22.04 generates an audit record for all uses of the \"umount\" and system call with the following command:\n\n$ sudo auditctl -l | grep b32 | grep 'umount\\b'\n\n-a always,exit -F arch=b32 -S umount -F auid&gt;=1000 -F auid!=-1 -F key=privileged-umount\n\nIf the command does not return a line, or the line is commented out, this is a finding.", "fixtext": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"umount\" system call by adding or updating the following rules in \"/etc/audit/audit.rules\" and adding the following rules to \"/etc/audit/rules.d/perm_mod.rules\" or updating the existing rules in files in the \"/etc/audit/rules.d/\" directory:\n\n-a always,exit -F arch=b32 -S umount -F auid&gt;=1000 -F auid!=unset -k privileged-umount\n\nThe audit daemon must be restarted for the changes to take effect."}}, "platform": null, "platforms": ["not aarch64_arch"], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": ["not_aarch64_arch"], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Record Events that Modify the System's Discretionary Access Controls - umount", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount/rule.yml", "template": null}