{"description": "Verify the system generates an audit record when actions are run as another user.\nsudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user.\n\nIf audit is using the \"auditctl\" tool to load the rules, run the following command:\n\n<pre>$ sudo grep execve /etc/audit/audit.rules</pre>\n\nIf audit is using the \"augenrules\" tool to load the rules, run the following command:\n\n<pre>$ sudo grep -r execve /etc/audit/rules.d</pre>\n<pre>-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation</pre>\n<pre>-a always,exit -F arch=b64  S execve -C euid!=uid -F auid!=unset -k user_emulation</pre>\n\nIf both the \"b32\" and \"b64\" audit rules for \"SUID\" files are not defined, this is a finding.", "rationale": "Creating an audit log of users with temporary elevated privileges and the\noperation(s) they performed is essential to reporting. Administrators will\nwant to correlate the events written to the audit trail with the records\nwritten to sudo's logfile to verify if unauthorized commands have\nbeen executed.\nMisuse of privileged functions, either intentionally or unintentionally by\nauthorized users, or by unauthorized external entities that have\ncompromised information system accounts, is a serious and ongoing concern\nand can have significant adverse impacts on organizations. Auditing the use\nof privileged functions is one way to detect such misuse and identify the\nrisk from insider threats and the advanced persistent threat.", "severity": "medium", "references": {"cis": ["6.3.3.2"]}, "control_references": {"cis": ["6.3.3.2"]}, "components": [], "identifiers": {}, "ocil_clause": "the command does not return all lines, or the lines are commented out", "ocil": "Verify Ubuntu 22.04 audits execution as another user.\n\nCheck if Ubuntu 22.04 is configured to audit the execution of the \"execve\" system call using the following command:\n\n<pre>$ sudo grep execve /etc/audit/audit.rules</pre>\n\nThe output should be the following:\n\n<pre>-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation</pre>\n<pre>-a always,exit -F arch=b64 -S execve  -C euid!=uid -F auid!=unset-k user_emulation</pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to audit the execution of the \"execve\" system call.\n\nAdd or update the following rules to \"/etc/audit/rules.d/audit.rules\":\n\n<pre>-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation</pre>\n<pre>-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset -k user_emulation</pre>\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must audit execution as another user.", "warnings": [{"general": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Record Events When Executables Are Run As Another User", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/rule.yml", "template": null}