Add umount syscall record to 8.1.13

2018-10-21 04:03:00 +08:00 · 2018-10-21 04:03:00 +08:00 · c4dbd14ed8
parent 3edc26f2a4
commit c4dbd14ed8
1 changed files with 4 additions and 1 deletions
--- a/bin/hardening/8.1.13_record_successful_mount.sh
+++ b/bin/hardening/8.1.13_record_successful_mount.sh
@ -14,7 +14,10 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=4

 AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
+-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=4294967295 -k mounts'
+
 FILE='/etc/audit/audit.rules'

 # This function will be called if the script status is on enabled / audit mode