{"description": "\n\n\nAt a minimum, the audit system should collect the execution of privileged\ncommands for all users and root.\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add\na line of the following form to a file with suffix <tt>.rules</tt>\nin the directory <tt>/etc/audit/rules.d</tt>:\n<pre>-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add a line of the\nfollowing form to <tt>/etc/audit/audit.rules</tt>:\n<pre>-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>", "rationale": "Misuse of privileged functions, either intentionally or unintentionally by\nauthorized users, or by unauthorized external entities that have compromised system accounts,\nis a serious and ongoing concern and can have significant adverse impacts on organizations.\nAuditing the use of privileged functions is one way to detect such misuse and identify\nthe risk from insider and advanced persistent threats.\n<br /><br />\nPrivileged programs are subject to escalation-of-privilege attacks,\nwhich attempt to subvert their normal role of providing some necessary but\nlimited capability. As such, motivation exists to monitor these programs for\nunusual activity.", "severity": "medium", "references": {"nist": ["AU-2(d)", "AU-12(c)", "AC-6(9)", "CM-6(a)"], "ism": ["0582"]}, "control_references": {"ism": ["0582"]}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": "To verify that execution of the command is being audited, run the following command:\n<pre>$ sudo grep \"path=/usr/sbin/seunshare\" /etc/audit/audit.rules /etc/audit/rules.d/*</pre>\nThe output should return something similar to:\n<pre>-a always,exit -F path=/usr/sbin/seunshare -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Record Any Attempts to Run seunshare", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml", "template": {"name": "audit_rules_privileged_commands", "vars": {"path": "/usr/sbin/seunshare"}, "backends": {}}}