CCE-96216-7| Platform: cpe:/o:suse:suse_linux_enterprise_server:15 | Date: (C)2022-09-27 (M)2023-07-04 |
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Parameter:
[yes/no]
Technical Mechanism:
Fix:Configure the SUSE operating system to generate an audit record for all uses of the "umount" and "umount2" system calls.
Add or update the following rules to "/etc/audit/rules.d/audit.rules":
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=4294967295 -k privileged-umount
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount
To reload the rules file, restart the audit daemon
> sudo systemctl restart auditd.service
or issue the following command:
> sudo augenrules --load
| CCSS Severity: | CCSS Metrics: |
| CCSS Score : 5.1 | Attack Vector: LOCAL |
| Exploit Score: 2.5 | Attack Complexity: LOW |
| Impact Score: 2.5 | Privileges Required: NONE |
| Severity: MEDIUM | User Interaction: NONE |
| Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L | Scope: UNCHANGED |
| | Confidentiality: LOW |
| | Integrity: NONE |
| | Availability: LOW |
| | |
References: | Resource Id | Reference |
|---|
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:84430 |
