Ensure auditd Collects Information on Exporting to Media (successful)
An XCCDF Rule
Description
At a minimum, the audit system should collect media exportation
events for all users and root. If the auditd
daemon is configured to
use the augenrules
program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules
in
the directory /etc/audit/rules.d
, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=exportIf the
auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules
file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
Rationale
The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.
- ID
- xccdf_org.ssgproject.content_rule_audit_rules_media_export
- Severity
- Medium
- References
- Updated
Remediation - Kubernetes Patch
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition: