Check: SLES-12-020240
SLES 12 STIG:
SLES-12-020240
(in versions v2 r13 through v1 r3)
Title
The SUSE operating system must generate audit records for all uses of the privileged functions. (Cat III impact)
Discussion
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152
Check Content
Verify the operating system audits the execution of privileged functions using the following command: # grep -iw execve /etc/audit/audit.rules -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.
Fix Text
Configure the operating system to audit the execution of privileged functions. Add or update the following rules in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
Additional Identifiers
Rule ID: SV-217209r854111_rule
Vulnerability ID: V-217209
Group Title: SRG-OS-000327-GPOS-00127
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001814 |
The Information system supports auditing of the enforcement actions. |
| CCI-001875 |
The information system provides an audit reduction capability that supports on-demand audit review and analysis. |
| CCI-001877 |
The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents. |
| CCI-001878 |
The information system provides a report generation capability that supports on-demand audit review and analysis. |
| CCI-001879 |
The information system provides a report generation capability that supports on-demand reporting requirements. |
| CCI-001880 |
The information system provides a report generation capability that supports after-the-fact investigations of security incidents. |
| CCI-001881 |
The information system provides an audit reduction capability that does not alter original content or time ordering of audit records. |
| CCI-001882 |
The information system provides a report generation capability that does not alter original content or time ordering of audit records. |
| CCI-001889 |
The information system records time stamps for audit records that meet organization-defined granularity of time measurement. |
| CCI-001914 |
The information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds. |
| CCI-002234 |
The information system audits the execution of privileged functions. |