{"description": "\n\n\nAt a minimum, the audit system should collect the execution of privileged\ncommands for all users and root.\n\nIf the auditd daemon is configured to use the augenrules\nprogram to read audit rules during daemon startup (the default), add\na line of the following form to a file with suffix .rules\nin the directory /etc/audit/rules.d:\n-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
\n\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add a line of the\nfollowing form to /etc/audit/audit.rules:\n-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
", "rationale": "Misuse of the init command may cause availability issues for the system.", "severity": "medium", "references": {"nist": ["AU-12(c)"], "srg": ["SRG-OS-000477-GPOS-00222"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the command does not return a line, or the line is commented out", "ocil": "Verify that Ubuntu 22.04 is configured to audit the execution of the \"init\" command with the following command:\n\n$ sudo auditctl -l | grep init\n\n-a always,exit -F path={{{ path }}}/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to generate audit records upon successful/unsuccessful attempts to use the \"init\" command by adding or updating the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path={{{ path }}}/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": " Ubuntu 22.04 must audit all uses of the init command.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Successful/unsuccessful uses of the init command in Ubuntu 22.04 must generate an audit record.", "vuldiscussion": "Misuse of the init command may cause availability issues for the system.", "checktext": "Verify that Ubuntu 22.04 is configured to audit the execution of the \"init\" command with the following command:\n\n$ sudo auditctl -l | grep /usr/sbin/init\n\n-a always,exit -S all -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-init\n\nIf the command does not return a line, or the line is commented out, this is a finding.", "fixtext": "Configure the audit system to generate an audit event for any successful/unsuccessful uses of the \"init\" command by adding or updating the following rule in the \"/etc/audit/rules.d/audit.rules\" file:\n\n-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init\n\nThe audit daemon must be restarted for the changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Ensure auditd Collects Information on the Use of Privileged Commands - init", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_privileged_commands_init/rule.yml", "template": {"name": "audit_rules_privileged_commands", "vars": {"path": "/usr/sbin/init"}, "backends": {}}}