SLES-15-030640 - The SUSE operating system must generate audit records for all uses of the privileged functions - setgid arch=b32

Information

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.

Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152

Solution

Configure the SUSE operating system to generate an audit record for any privileged use of the 'execve' system call.

Add or update the following rules in '/etc/audit/rules.d/audit.rules':

-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid

To reload the rules file, restart the audit daemon

> sudo systemctl restart auditd.service

or issue the following command:

> sudo augenrules --load

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SLES_15_V1R6_STIG.zip

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

References: 800-53|AC-6(9), 800-53|AU-7a., 800-53|AU-7b., 800-53|AU-8b., 800-53|AU-12(3), 800-53|CM-5(1), CAT|III, CCI|CCI-001814, CCI|CCI-001875, CCI|CCI-001877, CCI|CCI-001878, CCI|CCI-001879, CCI|CCI-001880, CCI|CCI-001881, CCI|CCI-001882, CCI|CCI-001889, CCI|CCI-001914, CCI|CCI-002234, Rule-ID|SV-234963r622137_rule, STIG-ID|SLES-15-030640, Vuln-ID|V-234963

Plugin: Unix

Control ID: 4c517c6664c0e419af03f6de80f91b7d9cd6fb4627c50a2e9859d30dd3b330f4