{"description": "\n\n\nAt a minimum, the audit system should collect the execution of privileged\ncommands for all users and root.\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add\na line of the following form to a file with suffix <tt>.rules</tt>\nin the directory <tt>/etc/audit/rules.d</tt>:\n<pre>-a always,exit -F path=/usr/bin/at -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add a line of the\nfollowing form to <tt>/etc/audit/audit.rules</tt>:\n<pre>-a always,exit -F path=/usr/bin/at -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>", "rationale": "Misuse of privileged functions, either intentionally or unintentionally by\nauthorized users, or by unauthorized external entities that have compromised system accounts,\nis a serious and ongoing concern and can have significant adverse impacts on organizations.\nAuditing the use of privileged functions is one way to detect such misuse and identify\nthe risk from insider and advanced persistent threats.\n<br /><br />\nPrivileged programs are subject to escalation-of-privilege attacks,\nwhich attempt to subvert their normal role of providing some necessary but\nlimited capability. As such, motivation exists to monitor these programs for\nunusual activity.", "severity": "medium", "references": {"nist": ["AU-2(d)", "AU-12(c)", "AC-6(9)", "CM-6(a)"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the command does not return a line, or the line is commented out", "ocil": "To verify that auditing of privileged command use is configured, run the\nfollowing command:\n<pre>$ sudo grep '\\bat\\b' /etc/audit/audit.rules /etc/audit/rules.d/*</pre>\nIt should return a relevant line in the audit rules.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure auditd Collects Information on the Use of Privileged Commands - at", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at/rule.yml", "template": {"name": "audit_rules_privileged_commands", "vars": {"path": "/usr/bin/at"}, "backends": {}}}