From c4dbd14ed8c5051b02e6bc6508733ed5d73aa9e4 Mon Sep 17 00:00:00 2001
From: Samson-W <sccxboy@gmail.com>
Date: Sun, 21 Oct 2018 04:03:00 +0800
Subject: [PATCH] Add umount syscall record to 8.1.13

---
 bin/hardening/8.1.13_record_successful_mount.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/bin/hardening/8.1.13_record_successful_mount.sh b/bin/hardening/8.1.13_record_successful_mount.sh
index 1ddf5e5..b553176 100755
--- a/bin/hardening/8.1.13_record_successful_mount.sh
+++ b/bin/hardening/8.1.13_record_successful_mount.sh
@@ -14,7 +14,10 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=4
 
 AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
--a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
+-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=4294967295 -k mounts'
+
 FILE='/etc/audit/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode