CCE-94277-1Platform: cpe:/o:oracle:linux:8, cpe:/o:redhat:enterprise_linux:8, cpe:/o:redhat:enterprise_linux:9 | Date: (C)2019-11-07 (M)2023-07-04 |
At a minimum the audit system should collect media exportation
events for all users and root. If the 'auditd' daemon is configured to
use the 'augenrules' program to read audit rules during daemon startup
(the default), add the following line to a file with suffix '.rules' in
the directory '/etc/audit/rules.d', setting ARCH to either b32 or b64 as
appropriate for your system:
'-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -k export'
If the 'auditd' daemon is configured to use the 'auditctl'
utility to read audit rules during daemon startup, add the following line to
'/etc/audit/audit.rules' file, setting ARCH to either b32 or b64 as
appropriate for your system:
'-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -k export'
Parameter:
[yes/no]
Technical Mechanism:
The unauthorized exportation of data to external media could result in an information leak
where classified information, Privacy Act information, and intellectual property could be lost. An audit
trail should be created each time a filesystem is mounted to help identify and guard against information
loss.
CCSS Severity: | CCSS Metrics: |
CCSS Score : 5.1 | Attack Vector: LOCAL |
Exploit Score: 2.5 | Attack Complexity: LOW |
Impact Score: 2.5 | Privileges Required: NONE |
Severity: MEDIUM | User Interaction: NONE |
Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L | Scope: UNCHANGED |
| Confidentiality: LOW |
| Integrity: NONE |
| Availability: LOW |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72171 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:55718 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:84046 |