{"description": "Verify the system generates an audit record when privileged functions are executed.\n\nIf audit is using the \"auditctl\" tool to load the rules, run the following command:\n\n<pre>$ sudo grep execve /etc/audit/audit.rules</pre>\n\nIf audit is using the \"augenrules\" tool to load the rules, run the following command:\n\n<pre>$ sudo grep -r execve /etc/audit/rules.d</pre>\n\n\n<pre>-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid</pre>\n<pre>-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid</pre>\n<pre>-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid</pre>\n<pre>-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid</pre>\n\n\nIf both the \"b32\" and \"b64\" audit rules for \"SUID\" files are not defined, this is a finding.\nIf both the \"b32\" and \"b64\" audit rules for \"SGID\" files are not defined, this is a finding.", "rationale": "Misuse of privileged functions, either intentionally or unintentionally by\nauthorized users, or by unauthorized external entities that have\ncompromised information system accounts, is a serious and ongoing concern\nand can have significant adverse impacts on organizations. Auditing the use\nof privileged functions is one way to detect such misuse and identify the\nrisk from insider threats and the advanced persistent threat.", "severity": "medium", "references": {"nist": ["CM-5(1)", "AU-7(a)", "AU-7(b)", "AU-8(b)", "AU-12(3)", "AC-6(9)"], "srg": ["SRG-OS-000326-GPOS-00126", "SRG-OS-000327-GPOS-00127", "SRG-APP-000343-CTR-000780", "SRG-APP-000381-CTR-000905", "SRG-OS-000755-GPOS-00220"], "pcidss4": ["10.2.1.2", "10.2.1", "10.2"], "stigid": ["UBTU-22-654230"], "stigref": ["SV-260648r958730_rule"]}, "control_references": {"pcidss4": ["10.2.1.2", "10.2.1", "10.2"], "stigid": ["UBTU-22-654230"]}, "components": [], "identifiers": {}, "ocil_clause": "the command does not return all lines, or the lines are commented out", "ocil": "Verify Ubuntu 22.04 audits the execution of privileged functions.\n\nCheck if Ubuntu 22.04 is configured to audit the execution of the \"execve\" system call using the following command:\n\n<pre>$ sudo grep execve /etc/audit/audit.rules</pre>\n\nThe output should be the following:\n\n\n<pre>-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid</pre>\n<pre>-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid</pre>\n<pre>-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid</pre>\n<pre>-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid</pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to audit the execution of the \"execve\" system call.\n\nAdd or update the following rules to \"/etc/audit/rules.d/audit.rules\":\n\n\n<pre>-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid</pre>\n<pre>-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid</pre>\n<pre>-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid</pre>\n<pre>-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid</pre>\n\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must audit the execution of privileged functions.", "warnings": [{"general": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must audit uses of the \"execve\" system call.", "vuldiscussion": "Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.", "checktext": "Verify that Ubuntu 22.04 is configured to audit the execution of the \"execve\" system call with the following command:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv\n\nIf the command does not return all lines, or the lines are commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to audit the execution of the \"execve\" system call.\n\nAdd or update the following file system rules to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv\n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv\n\nThe audit daemon must be restarted for the changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Record Events When Privileged Executables Are Run", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml", "template": null}