Check: SLEM-05-654195
SUSE Linux Enterprise Micro (SLEM) 5 STIG:
SLEM-05-654195
(in version v1 r1)
Title
SLEM 5 must generate audit records for all uses of privileged functions. (Cat II impact)
Discussion
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
Check Content
Verify SLEM 5 generates an audit record for any privileged use of the "execve" system call with the following command: > sudo auditctl -l | grep -w 'execve' -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=setgid If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Fix Text
Configure SLEM 5 to generate an audit record for any privileged use of the "execve" system call. Add or modify the following lines in "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Additional Identifiers
Rule ID: SV-261462r996793_rule
Vulnerability ID: V-261462
Group Title: SRG-OS-000327-GPOS-00127
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001814 |
The Information system supports auditing of the enforcement actions. |
| CCI-001875 |
Provide an audit reduction capability that supports on-demand audit review and analysis. |
| CCI-001877 |
Provide an audit reduction capability that supports after-the-fact investigations of incidents. |
| CCI-001878 |
Provide a report generation capability that supports on-demand audit review and analysis. |
| CCI-001879 |
Provide a report generation capability that supports on-demand reporting requirements. |
| CCI-001880 |
Provide a report generation capability that supports after-the-fact investigations of security incidents. |
| CCI-001881 |
Provide an audit reduction capability that does not alter original content or time ordering of audit records. |
| CCI-001882 |
Provide a report generation capability that does not alter original content or time ordering of audit records. |
| CCI-001889 |
Record time stamps for audit records that meet organization-defined granularity of time measurement. |
| CCI-001890 |
Record time stamps for audit records that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. |
| CCI-001914 |
Provide the capability for organization-defined individuals or roles to change the logging to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds. |
| CCI-002234 |
Log the execution of privileged functions. |