{"description": "\n\n\nAt a minimum, the audit system should collect the execution of privileged\ncommands for all users and root.\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add\na line of the following form to a file with suffix <tt>.rules</tt>\nin the directory <tt>/etc/audit/rules.d</tt>:\n<pre>-a always,exit -F path=/usr/bin/write -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add a line of the\nfollowing form to <tt>/etc/audit/audit.rules</tt>:\n<pre>-a always,exit -F path=/usr/bin/write -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>", "rationale": "Misuse of privileged functions, either intentionally or unintentionally by\nauthorized users, or by unauthorized external entities that have compromised system accounts,\nis a serious and ongoing concern and can have significant adverse impacts on organizations.\nAuditing the use of privileged functions is one way to detect such misuse and identify\nthe risk from insider and advanced persistent threats.\n<br /><br />\nPrivileged programs are subject to escalation-of-privilege attacks,\nwhich attempt to subvert their normal role of providing some necessary but\nlimited capability. As such, motivation exists to monitor these programs for\nunusual activity.", "severity": "medium", "references": {"srg": ["SRG-APP-000029-CTR-000085"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the command does not return a line, or the line is commented out", "ocil": "Verify that Ubuntu 22.04 is configured to audit the execution of the \"write\" command with the following command:\n\n$ sudo auditctl -l | grep write\n\n-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=unset -k privileged-write", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to generate audit records upon successful/unsuccessful attempts to use the \"write\" command by adding or updating the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=unset -k privileged-write\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": " Ubuntu 22.04 must audit all uses of the write command.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must audit all uses of the write command.", "vuldiscussion": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.", "checktext": "Verify that Ubuntu 22.04 is configured to audit the execution of the \"write\" command with the following command:\n\n$ sudo auditctl -l | grep write\n\n-a always,exit -F path=/usr/bin/write -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-write\n\nIf the command does not return a line, or the line is commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to generate audit records upon successful/unsuccessful attempts to use the \"write\" command by adding or updating the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/bin/write -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-write\n\nThe audit daemon must be restarted for the changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure auditd Collects Information on the Use of Privileged Commands - write", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_write/rule.yml", "template": {"name": "audit_rules_privileged_commands", "vars": {"path": "/usr/bin/write"}, "backends": {}}}