{"description": "\n\n\nAt a minimum, the audit system should collect the execution of privileged\ncommands for all users and root.\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add\na line of the following form to a file with suffix <tt>.rules</tt>\nin the directory <tt>/etc/audit/rules.d</tt>:\n<pre>-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add a line of the\nfollowing form to <tt>/etc/audit/audit.rules</tt>:\n<pre>-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>", "rationale": "Without generating audit records that are specific to the security and\nmission needs of the organization, it would be difficult to establish,\ncorrelate, and investigate the events relating to an incident or identify\nthose responsible for one.\n\nAudit records can be generated from various components within the\ninformation system (e.g., module or policy filter).", "severity": "medium", "references": {"nist": ["AU-3", "AU-12(a)", "AU-12(c)", "MA-4(1)(a)"], "stigid": ["UBTU-22-654030"], "stigref": ["SV-260608r958446_rule"]}, "control_references": {"stigid": ["UBTU-22-654030"]}, "components": [], "identifiers": {}, "ocil_clause": "the command does not return a line, or the line is commented out", "ocil": "To verify that auditing of privileged command use is configured, run the\nfollowing command:\n<pre>$ sudo grep chfn /etc/audit/audit.rules /etc/audit/rules.d/*</pre>\nIt should return a relevant line in the audit rules.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure auditd Collects Information on the Use of Privileged Commands - chfn", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chfn/rule.yml", "template": {"name": "audit_rules_privileged_commands", "vars": {"path": "/usr/bin/chfn"}, "backends": {}}}