Profile Applicability:
• Level 2
Description:
Monitoring successful filesystem mount events provides visibility into changes in the system’s mounted filesystems, helping detect unauthorized mount operations that may affect system security or data integrity.
Rationale:
Collecting audit logs for mount events supports detection of unauthorized or unexpected filesystem mounts, aiding incident response and system integrity monitoring.
Impact:
Pros:
Enhances monitoring of filesystem changes.
Enables timely detection of suspicious mount activity.
Cons:
May increase audit log volume; requires appropriate log management.
Default Value:
Audit rules for successful filesystem mounts may not be enabled by default.
Pre-requisites:
Root or sudo privileges to configure audit rules.
Remediation:
Test Plan:
Using Linux command line:
Check current audit rules for mount events:
auditctl -l | grep mount
Verify that audit rules exist for syscall mount and include success events.
Implementation Plan:
Using Linux command line:
Add audit rules to log successful mount syscalls:
auditctl -a always,exit -F arch=b64 -S mount -F success=1 -k mount auditctl -a always,exit -F arch=b32 -S mount -F success=1 -k mount
Persist rules by adding them to /etc/audit/rules.d/audit.rules.
Backout Plan:
Using Linux command line:
Remove or disable mount audit rules if necessary:
auditctl -d always,exit -F arch=b64 -S mount -F success=1 -k mount auditctl -d always,exit -F arch=b32 -S mount -F success=1 -k mount
Reload audit daemon configuration.
References:
CIS Amazon Linux 2 Benchmark v3.0.0