{"description": "At a minimum, the audit system should collect media exportation\nevents for all users and root. If the <tt>auditd</tt> daemon is configured to\nuse the <tt>augenrules</tt> program to read audit rules during daemon startup\n(the default), add the following line to a file with suffix <tt>.rules</tt> in\nthe directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 for\n32-bit system, or having two lines for both b32 and b64 in case your\nsystem is 64-bit:\n<pre>-a always,exit -F arch=ARCH -S mount -F auid&gt;=1000 -F auid!=unset -F key=export</pre>\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following line to\n<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 for\n32-bit system, or having two lines for both b32 and b64 in case your\nsystem is 64-bit:\n<pre>-a always,exit -F arch=ARCH -S mount -F auid&gt;=1000 -F auid!=unset -F key=export</pre>", "rationale": "The unauthorized exportation of data to external media could result in an information leak\nwhere classified information, Privacy Act information, and intellectual property could be lost. An audit\ntrail should be created each time a filesystem is mounted to help identify and guard against information\nloss.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8", "9"], "cjis": ["5.4.1.1"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI08.02", "DSS01.03", "DSS01.04", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.1.7"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)(ii)(A)", "164.308(a)(5)(ii)(C)", "164.312(a)(2)(i)", "164.312(b)", "164.312(d)", "164.312(e)"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.6.6", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.13", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.6", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.1", "SR 6.2", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.7", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.2.1", "A.6.2.2"], "nist": ["AU-2(d)", "AU-12(c)", "AC-6(9)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "DE.CM-1", "DE.CM-3", "DE.CM-7", "ID.SC-4", "PR.AC-3", "PR.PT-1", "PR.PT-4", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.2.7"], "srg": ["SRG-OS-000037-GPOS-00015", "SRG-OS-000042-GPOS-00020", "SRG-OS-000062-GPOS-00031", "SRG-OS-000392-GPOS-00172", "SRG-OS-000462-GPOS-00206", "SRG-OS-000471-GPOS-00215", "SRG-APP-000495-CTR-001235"], "anssi": ["R73"], "cis": ["6.3.3.10"], "pcidss4": ["10.2.1.7", "10.2.1", "10.2"]}, "control_references": {"anssi": ["R73"], "cis": ["6.3.3.10"], "pcidss4": ["10.2.1.7", "10.2.1", "10.2"]}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "To determine if the system is configured to audit calls to the\n<code>mount</code> system call, run the following command:\n<pre space=\"preserve\">$ sudo grep \"mount\" /etc/audit/audit.*</pre>\nIf the system is configured to audit this activity, it will return a line.\n", "oval_external_content": null, "fixtext": "Configure the audit system to generate an audit event for any successful/unsuccessful use of the \"mount\" system call by adding or updating the following rules in \"/etc/audit/audit.rules\" and adding the following rules to \"/etc/audit/rules.d/export.rules\" or updating the existing rules in files in the \"/etc/audit/rules.d/\" directory:\n\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k export\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k export\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Successful/unsuccessful uses of the mount system call in Ubuntu 22.04 must generate an audit record.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must audit all uses of the mount command.", "vuldiscussion": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", "checktext": "Verify that Ubuntu 22.04 is configured to audit the execution of the \"mount\" command with the following command:\n\n$ sudo auditctl -l | grep mount\n\n-a always,exit -F arch=b32 -S mount -F auid&gt;=1000 -F auid!=unset -k export\n-a always,exit -F arch=b64 -S mount -F auid&gt;=1000 -F auid!=unset -k export\n\nIf the command does not return a line, or the line is commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to generate audit records upon successful/unsuccessful attempts to use the \"mount\" command by adding or updating the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S mount -F auid&gt;=1000 -F auid!=unset -k export\n-a always,exit -F arch=b64 -S mount -F auid&gt;=1000 -F auid!=unset -k export\n\nThe audit daemon must be restarted for the changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure auditd Collects Information on Exporting to Media (successful)", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml", "template": {"name": "audit_rules_dac_modification", "vars": {"attr": "mount", "key": "export"}, "backends": {}}}