The SUSE operating system must generate audit records for all uses of the privileged functions.

From SLES 12 Security Technical Implementation Guide

Part of SRG-OS-000327-GPOS-00127

Associated with: CCI-001814 CCI-001875 CCI-001877 CCI-001878 CCI-001879 CCI-001880 CCI-001881 CCI-001882 CCI-001889 CCI-001914 CCI-002234

SV-92019r1_rule The SUSE operating system must generate audit records for all uses of the privileged functions.

Vulnerability discussion

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152

Check content

Verify the SUSE operating system generates an audit record when privileged functions are executed. Find relevant setuid programs using the following command once for each local system partition, replacing "[PARTITION]" with each local system partition: # sudo find [PARTITION] -xdev -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null Verify all of the programs found with the command above are listed in the audit file by running the following command for every program found, replacing "[FILE_PATH]" with each program to include the full path: # grep [FILE_PATH] /etc/audit/audit.rules -w [SETUID_FILE_PATH] -p wa -k privilege_function All setuid programs on the system must have a corresponding audit rule, or there must be an audit rule for the subdirectory that contains the setuid file. If any of the setuid programs/files on the system do not have an audit rule, this is a finding.

Fix text

Configure the SUSE operating system to generate an audit record for all uses of privileged functions. Find relevant setuid programs using the following command once for each local system partition, replacing "[PARTITION]" with each local system partition: # sudo find [PARTITION] -xdev -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null For every setuid program not covered by an audit rule for a subdirectory, add a line for each setuid program in "/etc/audit/audit.rules", replacing "[SETUID_FILE_PATH]" with the full path to the setuid program from the list above: -w [SETUID_FILE_PATH] -p wa -k privilege_function

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer