UBTU-18-010358 - The Ubuntu operating system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions - euid b64 auditctl

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations.

Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review.

Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127

Solution

Configure the Ubuntu operating system to audit the execution of all privileged functions.

Add or update the following rules in the '/etc/audit/rules.d/stig.rules' file:

-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv

Notes: For 32-bit architectures, only the 32-bit specific entries are required.
The 'root' account must be used to view/edit any files in the /etc/audit/rules.d/ directory.

In order to reload the rules file, issue the following command:

# sudo augenrules --load

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_18-04_LTS_V2R8_STIG.zip

Item Details

References: CAT|II, CCI|CCI-002233, CCI|CCI-002234, Rule-ID|SV-219281r610963_rule, STIG-ID|UBTU-18-010358, STIG-Legacy|SV-109889, STIG-Legacy|V-100785, Vuln-ID|V-219281

Plugin: Unix

Control ID: 8703d0ff5eef2fd96f71c6e084c7d0f6bb34620b75ac202820d5526d61850d9c