Ensure auditd Collects Information on Exporting to Media (successful)

Classification:

compliance

Framework:

Control:

Description

At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:

-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export

Rationale

The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG\_BIT) = "32" ] && RULE\_ARCHS=("b32") || RULE\_ARCHS=("b32" "b64")

for ARCH in "${RULE\_ARCHS[@]}"
do
 PATTERN="-a always,exit -F arch=$ARCH -S .\* -F auid>=1000 -F auid!=4294967295 -k \*"
 GROUP="mount"
 FULL\_RULE="-a always,exit -F arch=$ARCH -S mount -F auid>=1000 -F auid!=4294967295 -k export"
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

 fix\_audit\_syscall\_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL\_RULE"
 fix\_audit\_syscall\_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL\_RULE"
done