Check: PHTN-67-000056
VMware vSphere 6.7 Photon OS STIG:
PHTN-67-000056
(in versions v1 r6 through v1 r2)
Title
The Photon operating system must audit the execution of privileged functions. (Cat II impact)
Discussion
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215
Check Content
At the command line, execute the following command to obtain a list of setuid files: # find / -xdev -perm -4000 -type f -o -perm -2000 -type f Execute the following command for each setuid file found in the first command: # grep <setuid_path> /etc/audit/audit.rules Replace <setuid_path> with each path found in the first command. If each <setuid_path> does not have a corresponding line in the audit rules, this is a finding. A typical corresponding line will look like the following: -a always,exit -F path=<setuid_path> -F perm=x -F auid>=1000 -F auid!=-1 -k privileged Note: This check depends on the auditd service to be in a running state for accurate results. Enabling the auditd service is done as part of a separate control.
Fix Text
At the command line, execute the following command to obtain a list of setuid files: # find / -xdev -perm -4000 -type f -o -perm -2000 -type f Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following line: Replace <setuid_path> with each path found in the first command. -a always,exit -F path=<setuid_path> -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged At the command line, execute the following command: # /sbin/augenrules --load
Additional Identifiers
Rule ID: SV-239127r856045_rule
Vulnerability ID: V-239127
Group Title: SRG-OS-000327-GPOS-00127
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
CCI-002234 |
The information system audits the execution of privileged functions. |