Ensure auditd Collects Information on the Use of Privileged Commands
Description
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. To find the relevant setuid /
setgid programs, run the following command for each local partition
PART:
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
If the auditd
daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add a line of
the following form to a file with suffix .rules
in the directory
/etc/audit/rules.d
for each setuid / setgid program on the system,
replacing the SETUID_PROG_PATH part with the full path of that setuid /
setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules
for each setuid / setgid program on the
system, replacing the SETUID_PROG_PATH part with the full path of that
setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
<ns10:sub idref="xccdf_org.ssgproject.content_value_function_perform_audit_rules_privileged_commands_remediation" use="legacy"/>
perform_audit_rules_privileged_commands_remediation "auditctl" "1000"
perform_audit_rules_privileged_commands_remediation "augenrules" "1000"
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Search for privileged commands
shell: "find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat"
check_mode: no
register: find_result
tags:
- audit_rules_privileged_commands
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- NIST-800-53-AC-17(7)
- NIST-800-53-AU-1(b)
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-2(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-2(4)
- NIST-800-53-AU-6(9)
- NIST-800-53-AU-12(a)
- NIST-800-53-AU-12(c)
- NIST-800-53-IR-5
- NIST-800-171-3.1.7
- PCI-DSS-Req-10.2.2
- CJIS-5.4.1.1
- DISA-STIG-RHEL-07-030360
# Inserts/replaces the rule in /etc/audit/rules.d
- name: Search /etc/audit/rules.d for audit rule entries
find:
paths: "/etc/audit/rules.d"
recurse: no
contains: "^.*path={{ item }} .*$"
patterns: "*.rules"
with_items:
- "{{ find_result.stdout_lines }}"
register: files_result
tags:
- audit_rules_privileged_commands
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- NIST-800-53-AC-17(7)
- NIST-800-53-AU-1(b)
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-2(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-2(4)
- NIST-800-53-AU-6(9)
- NIST-800-53-AU-12(a)
- NIST-800-53-AU-12(c)
- NIST-800-53-IR-5
- NIST-800-171-3.1.7
- PCI-DSS-Req-10.2.2
- CJIS-5.4.1.1
- DISA-STIG-RHEL-07-030360
- name: Overwrites the rule in rules.d
lineinfile:
path: "{{ item.1.path }}"
line: '-a always,exit -F path={{ item.0.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged'
create: no
regexp: "^.*path={{ item.0.item }} .*$"
with_subelements:
- "{{ files_result.results }}"
- files
tags:
- audit_rules_privileged_commands
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- NIST-800-53-AC-17(7)
- NIST-800-53-AU-1(b)
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-2(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-2(4)
- NIST-800-53-AU-6(9)
- NIST-800-53-AU-12(a)
- NIST-800-53-AU-12(c)
- NIST-800-53-IR-5
- NIST-800-171-3.1.7
- PCI-DSS-Req-10.2.2
- CJIS-5.4.1.1
- DISA-STIG-RHEL-07-030360
- name: Adds the rule in rules.d
lineinfile:
path: /etc/audit/rules.d/privileged.rules
line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged'
create: yes
with_items:
- "{{ files_result.results }}"
when: item.matched == 0
tags:
- audit_rules_privileged_commands
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- NIST-800-53-AC-17(7)
- NIST-800-53-AU-1(b)
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-2(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-2(4)
- NIST-800-53-AU-6(9)
- NIST-800-53-AU-12(a)
- NIST-800-53-AU-12(c)
- NIST-800-53-IR-5
- NIST-800-171-3.1.7
- PCI-DSS-Req-10.2.2
- CJIS-5.4.1.1
- DISA-STIG-RHEL-07-030360
# Adds/overwrites the rule in /etc/audit/audit.rules
- name: Inserts/replaces the rule in audit.rules
lineinfile:
path: /etc/audit/audit.rules
line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged'
create: yes
regexp: "^.*path={{ item.item }} .*$"
with_items:
- "{{ files_result.results }}"
tags:
- audit_rules_privileged_commands
- medium_severity
- restrict_strategy
- low_complexity
- low_disruption
- NIST-800-53-AC-17(7)
- NIST-800-53-AU-1(b)
- NIST-800-53-AU-2(a)
- NIST-800-53-AU-2(c)
- NIST-800-53-AU-2(d)
- NIST-800-53-AU-2(4)
- NIST-800-53-AU-6(9)
- NIST-800-53-AU-12(a)
- NIST-800-53-AU-12(c)
- NIST-800-53-IR-5
- NIST-800-171-3.1.7
- PCI-DSS-Req-10.2.2
- CJIS-5.4.1.1
- DISA-STIG-RHEL-07-030360
Warning
This rule checks for multiple syscalls related to privileged commands;
it was written with DISA STIG in mind. Other policies should use a
separate rule for each syscall that needs to be checked. For example:
audit_rules_privileged_commands_su
audit_rules_privileged_commands_umount
audit_rules_privileged_commands_passwd